The criminals who cracked Target’s defenses, stealing debit and credit card information of as many as 40 million shoppers who swiped at the retailer’s stores, exposed a major vulnerability in the way Americans pay.
“The credit card system is inherently broken,” said Jeremiah Grossman, the chief technology officer of Web-application security firm WhiteHat Security. “It’s a shared-secret system, in which everyone has the secret every time you swipe your card in the U.S.”
That secret is the data encoded on the back of magnetic-stripe cards: the name of the cardholder, plus the account number, security code and expiration date, among other vital bits.
As they scramble to deal with the Target breach, financial services companies are already looking to shift the system.
The most prominent way they’re doing this is with the chip card standard that’s being used by issuers of cards in just about every country in the world outside the U.S.
Those cards – known as “Europay, MasterCard and Visa,” or EMV – are armed with encrypted chips. EMV technology, experts explain, is just more secure than the magnetic stripes used on American cards.
Visa and MasterCard have said that all merchants except gasoline retailers that don’t have the equipment to accept EMV cards by October 2015 will be liable for any fraudulent transactions made on their terminals, Luria said.
Until EMV takes hold, or something more resilient takes the place of the current payment system, consumers will just have to live with the headaches caused by breaches.
“It’s ultimately not the consumers who face the liability here. That’s the one beautiful thing about the credit card system,” said Robert E. Lee, a security business partner at Intuit. “If my card is stolen and used like this, I’m not out of pocket.
“There are all these consumer protections in place, even though the entire system is stupid.”