The National Retail Federation, in testimony before Congress (see article), said that the government should expand protections for debit card users (Federal protections for debit card users are less than for credit card users), pass a national breach notification law and boost prosecution for cyber crimes.
The harder question is who is responsible for breaches. Is it the software companies that make buggy software? Is it the businesses that don’t install patches and take aggressive measures to protection consumer’s information? Or is it consumers that choose passwords like 123456.
The answer to this is that all of these parties share blame and all of these parties need to take action to fix the problem. Absent that, the bad guys will likely continue to win. While consumers are not liable for more than $50 when hackers use their credit cards, those costs show up somewhere. That somewhere is higher bank fees and prices at stores.
Will changing laws on debit cards stop the Target attack? Will a national breach notification law protect Sony or it’s employees? Will more prosecutors or different laws stop the Chinese (if it is them) from attacking Anthem. Unfortunately, the answer to all of these questions is no.
The only way we are going to make any impact on hacking is if we – businesses, software makers and consumers – start taking the right actions.
The article points out that some retailers, like Target, are swapping out mag stripe credit card readers for chip and pin based readers. These cards, already in use in many countries but not widely used in the United States, the article says and I agree, will reduce credit card fraud because they are harder to counterfeit.
Lets examine why those stores are doing that.
Merchants don’t want to get new credit card readers because they have to pay for them and train both employees and customers on how to use them. This is especially painful for older people who did not grow up in the digital world.
So if this is true, why are businesses starting to replace their credit card readers?
Mastercard and Visa have changed the rules. Effective October of this year, if credit card fraud takes place and the store does not use chip based credit card readers, the store eats the fraud rather than Mastercard and Visa (this is a slight simplification, but basically accurate).
You draw your own conclusions.
I suggest that people – Software developers, businesses and consumers – will change their ways when it is more painful or expensive to not change rather than to change. Unfortunate but true.
My two cents.