It happened yet again. A company doing business online was hacked, and the personal information of its customers was stolen.
Ironically enough, the victim this time was Kickstarter, a high-tech operation that helps fund startups and other businesses. In December, the personal financial data of 40 million Target customers was compromised, and at the end of January, White Lodging Services Corporation, which works with 168 hotels in 21 states, confirmed that it was examining a data breach.
Enough is enough. It is time that the banks, credit card companies, retailers, and yes, their customers, work together to solve a problem that is undermining the online – even the brick and mortar – economy. Here’s my four-step plan.
1) Move aggressively to replace credit and debit cards that use easily-hacked magnetic strips with more secure chip-and-PIN cards. These cards contain embedded chips that hold information and require PINs for access. If you travelled in Europe recently, you’ve likely seen these cards, and you may have heard that fraud dropped dramatically (34 percent in the United Kingdom) after they were introduced. The Target data breach brought this issue to the forefront, and there’s a target (no pun intended) date of October, 2015, to implement chip-in-pin in the United States. Whether or not the financial services industry and the large retailers actually follow through remains to be seen.
Sure, it will cost money to make the switch; merchants will have to install new point-of-sale devices capable of reading them, and the cards have to be manufactured and distributed. There’s also resistance from retailers because it is easier to get marketing data from a magnetic strip than from chip-and-pin cards. But I say it's time for the change, and the sooner the better.
2) So who should foot the bill? Everybody! I think it is only fair that a portion of the cost to be borne by consumers via a small, temporary transaction fee that credit card companies would then rebate to merchants. This is especially important for small businesses, which are sometimes dropped as customers by the credit card companies if they pass on too many fraudulent charges. The alternative is higher prices for everybody.
3) Make retailers more accountable. Banks currently bear the brunt of the costs associated with credit card fraud. Retailers have some accountability because when fraud piles up, the card companies charge them more per transaction. But those fees are tiny and aren’t large enough to act as a deterrent. So, at the very least – and this is an idea that already has some traction in Congress – retailers should be required to immediately notify customers of a data breach. Some states already require immediately disclosure to customers; others don’t. There should be a uniform law that addresses, and mandates, that disclosure. Retailers should also be required to offer customers free credit watch services when there’s a data breach, just as Target did.
4) Force consumers to take security seriously. You’ve probably seen stories about the most commonly-used passwords: the word “password” and “1,2,3,4,” etc. That has to stop. Online commerce sites, including those of the credit card companies, should make consumers change passwords at least once a year. If they don’t, their access to the site should be blocked or revoked. That might really bother some consumers, but having their identities stolen could be much, much worse.