Chick-fil-A has entered the illustrious ranks of companies publicly shamed after a major credit card breach, in this case possibly extending back to 2013. It likely won’t be the last time, especially in the wake of growing security problems with U.S. companies from Target to Sony, with medical records, credit card information, and other data making their way into the hands of hackers. It’s clearly time to reconsider our approach to security, and if corporations aren’t willing to do it, reevaluating credit card and financial regulations may be the best way to protect our data.
That the company has only now released information about fraudulent activity linked to customer visits to its franchises is a telling component of the problem with financial security in the United States. Like other companies affected by data breaches, such as Target, Home Depot, Kmart, Goodwill, P.F. Chang’s, Staples, Dairy Queen, Bebe, Michaels, and Jimmy Johns, Chick-fil-A was slow to notify customers, which created a snarl of fraudulent transactions and headaches for customers and banks alike. Millions of people annually are forced to endure the process of disputing transactions, ordering new cards, and addressing identity theft concerns, while banks ate $11 billion in 2011 alone, with merchants losing even more, as consumers are not liable for disputed charges later proved fraudulent.
Despite the immense cost of not securing cards and information adequately and the number of high-profile data breaches, the industry is lagging on security. Part of the problem is a fundamental infrastructure issue. The systems we use for processing cards date to the 1970s, and they are difficult to secure by nature, as they were built for a different era. But that’s not the only problem.
In much of the rest of the world, banks issue what are known as “chip and pin” cards, which include a chip embedded in the card and require a customer to enter a personal identification number for each transaction. Such cards are much more difficult to clone than conventional magstripe cards, as replicating the pin is challenging. That’s precisely why so many overseas banks have adopted the technology—and, under pressure, the U.S. is slowly doing the same. But the issue is complicated by point of sale systems, which have become the bottleneck when it comes to security reform to prevent data breaches.
Every time consumers swipe a card, the data collected is sent through a merchant services company to confirm the card’s validity and balance, authorizing or declining the transaction depending on the result. Point of sale systems are vulnerable to skimming, which relies upon a physical device to collect credit card data, but they’re also hackable. Retrofitting such systems to support chip and pin is a costly endeavor, especially for small retailers, but it’s critical to increase security.
Malware installed on point of sale systems can transmit mass amounts of credit card data, allowing hackers to clone cards—which are then used to purchase gift cards and large-ticket retail items to resell in the hopes of exploiting a card before the user, or the bank, notices the problem. Chip and pin would close this loophole, and that’s why MasterCard and Visa indicated that they were going to start requiring retailers to use the technology by October of this year. President Obama signed an executive order reinforcing this guideline by requiring an even earlier adoption of the technology for U.S. government bodies.
Merchants can decline to make the change, but they’d better be ready to pay the price, as the two major credit card companies won’t cover fraudulent charges incurred on point of sale systems that don’t support chip and pin. The move will certainly break the stalemate between card issuers, banks, and retailers, as each has been reluctant to adopt chip and pin until the others do.
Tokenization, like that used by Apple Pay and Google Wallet, is an even more secure system, as it functions by generating a unique number for each transaction to protect consumer data. While still vulnerable—as is any technology—it represents far fewer risks for the consumer and may be an important component of any reforms to reduce fraud risks.
Banks should also be taking more responsibility for monitoring and tracking fraudulent activity. While many exceed at automated identification of abnormal card activity, they struggle with connecting the web of fraud and finding a single common source—a patient zero, as it were. Banks could learn a lesson from epidemiologists when it comes to indexing cases of fraud and rapidly tracing them back to their commonly-shared source. Unlike epidemiologists, they have access to a critical data set that would normally need to be gathered by hand in the form of a list of every place a consumer went over a given period of time.
Rapidly processing linked fraudulent transactions can work both ways; in addition to using routine algorithms to check for commonalities between fraud cases, credit card companies could also determine if there’s a higher percentage of fraud linked with specific point of sale systems or companies. Rapidly notifying companies would help those companies plug the source of the data leak, which is often outdated or inadequate security for point of sale systems and financial data.
The industry’s slow movement on an issue that costs it billions of dollars annually feels bizarre; perhaps banks are intimidated by the scope of the problem and the costs of implementing solutions. Delaying reform, however, is not going to resolve the issue. Rather, it will just compound as hackers build more backdoors, malware, and other tools to access poorly secured data. As Sony learned at great cost, poor corporate security can be an irresistible temptation. Locking down security doesn’t have to be difficult, but it does need to be thorough.
If the banking industry won’t step up, federal agencies responsible for banking regulations may need to address the problem. Requiring the adoption of chip and pin technologies is a start, but it’s not enough. Mandating firmware and software upgrades as well as security audits and demonstrable proof that companies are keeping up with the latest in security is also important. Such requirements need to span banks, point of sale manufacturers, credit card companies, and retailers that want to accept credit cards. Yes, implementing them would be expensive, but in the long term, they might be what we need to fix a clearly broken system.
Such data breaches also reveal some interesting shortfalls in the financial industry. At what point will consumers get so frustrated with financial services that they turn to their old and familiar friend, cash? It’s possible that the entire credit-based culture of the United States could change, with consumers turning away from unreliable cards and embracing analog banking.