After thieves hijacked credit and debit card data belonging to 40 million Target shoppers, many blamed the retail giant for putting them at risk of identity theft.
But some experts are also pointing to a less visible culprit: the credit card industry. Card issuers might not have been able to prevent the recent data breach at Target, but if they had upgraded to more secure technology, they could have deterred thieves from using that stolen information to make counterfeit credit cards.
U.S. banks rely on credit cards with magnetic strips, which can be easily reproduced by thieves, while European banks have issued millions of more modern "smart cards" that are embedded with computer chips. Smart cards encrypt transaction information, require thieves to know the cardholder’s PIN, and can generate one-time-only passwords.
Smart cards would not eliminate credit card fraud entirely. The technology can stop criminals from using stolen credit cards in checkout lines, but it would not prevent thieves from using cards online, where people type their credit card numbers to make purchases.
But if U.S. banks issued smart cards, "you would stamp out counterfeit cards," said David Robertson, publisher of The Nilson Report, a credit card industry trade publication.
“Anyone can make a counterfeit magnetic strip card, but a chip is far different,” Robertson said. “You’re not going to have crooks making chips.”
The credit card industry plans to transition to smart cards, but the deadline for retailers to accept them or be held liable for fraudulent transactions is still nearly two years away. Some say that card issuers should have switched sooner, given that smart cards have been around for about two decades and credit card breaches have been happening for years.
"This Target breach could be the real impetus to moving toward chip cards," Robertson said.
U.S. banks still rely on credit cards with magnetic strips, largely because upgrading to cards with chips would be expensive, according to Robertson.
It costs about five times more to make a credit card with a chip than a magnetic card, he said. In addition, U.S. banks have been reluctant to issue smart cards because they would require retailers to make expensive upgrades to their payment systems, which companies have been unwilling to do, Robertson said.
Robertson also said banks have been slow to transition to smart cards because digital wallets -- which would allow shoppers to make purchases by waving smartphones instead of cards -- are on the horizon and could make smart cards irrelevant.
Jason Oxman, chief executive officer of the Electronic Transactions Association, which represents the payments industry, said the industry was moving toward smart cards but the transition was complicated. Eight million merchants in the U.S. that currently accept credit cards would need to upgrade, and 1 billion credit and debit cards in circulation would need to be replaced, he said.
“It’s not quite as simple as snapping a finger,” he said.
Oxman noted that the amount of fraud is still relatively small. Companies that issue credit and debit cards lose about 6 cents to fraud for every $100 worth of credit and debit card transactions, he said. For companies like Visa and Mastercard, the loss has historically been seen as the cost of doing business, Robertson said. Card issuers could create one-time-only passwords for online transactions, but have “decided that’s too much to ask consumers,” he added.
Target has apologized for the recent breach, which occurred between Nov. 27 and Dec. 15, and offered a discount on purchases at its stores last weekend and free credit monitoring to affected shoppers.
But credit card data from Target shoppers has already started appearing on black market websites that sell information for as much as $100 per card, according to security blogger Brian Krebs.
Some banks have either canceled debit and credit cards belonging to Target shoppers or placed spending limits on customers who used their cards at Target during the breach.
Oxman said Target shoppers who lost money from the breach would be made whole.
For many shoppers, the frustration caused by the Target breach has come as they try to do last-minute Christmas shopping. Last Thursday, Mark Montgomery, of Philadelphia, got a call from his bank telling him it was closing his debit card because of the security risk from the Target breach. But his new card has yet to arrive, he said on Monday.
Not only did that leave Montgomery temporarily without enough cash to buy Christmas gifts for his family, he said, but the debit card was linked to several bill payments that are now bouncing back, generating more than $125 in fees.
"The biggest headache is that I planned to purchase almost all of my gifts this weekend and was limited to the cash on hand," Montgomery said. "I had like $2,000 that I could not get to."
He added, “I am rethinking my debit card use going forward, and it will be a long time before I go back to a Target store."