The Future of Credit Card Security: Paying Safely in a Post-Target World

Will cash become the best way to pay for goods? Or can new payment technologies remedy the bad taste left in consumers' mouths after the Target data security breach?
credit card security

As many shoppers are now aware, Target experienced a massive security breach between November 27 and December 15, 2013, with the personal data of up to 110 million customers having been compromised. In January, Neiman Marcus experienced a similar hack and in the weeks since, various expert reports have suggested that even more stores are currently also at risk. This has left many consumers wondering: How have so many retailers been hoodwinked by hackers? And is there any truly safe way to pay for goods outside of cash? To help better understand the changing credit card landscape consumers are facing, we've laid out all the details on what information might have been at risk and explore the various ways consumers can shop online and remain secure.

Both Financial & Personal Information Stolen

Using a software called BlackPOS developed by a Russian teenager, hackers corrupted Target's Point of Sale devices (credit and debit card readers) in brick-and-mortar locations. The hackers were able to capture personal data immediately after a credit card was swiped, according to Brian Krebs, the security blogger who originally broke the story. The data was then stored in a repository within Target's own internal system, which, the company recently revealed, hackers were able to crack by stealing vendor credentials.

Target initially confirmed that up to 40 million credit and debit card accounts had been compromised. The information stolen included everything stored directly on a credit or debit card's magnetic strip: account number, cardholder name, and expiration date. It also included encrypted CVV data, which is used to confirm in-store purchases. (CVV data is not the same as the 3-digit CVV2 code found on the back of your card and used to verify online purchases.)

Weeks later, Target also confirmed the theft of additional "Guest Information" for up to 70 million customers, with some possible overlap between the two groups. Target would only say that the data "may have included names, mailing addresses, phone numbers, or email addresses."

But Target's Guest ID accounts also contain unknown amounts of data on customer's personal lives, financial history, and shopping habits. In fact, the company's data collection policies came under scrutiny in 2012, when a New York Times article profiled how it used big data and statistics to win over customers specifically, pregnant women. The article related an apocryphal story that Target once sent a teenage girl baby product coupons before her own father knew she was expecting.

However, the company has never confirmed or denied what personal data it collects, and it can't be confirmed that any of this additional information was lost in the recent hacking.

Criminal Use of Stolen Data

Target's security breach appears not to have given criminals enough information to create new lines of credit in consumers' names to commit identity theft. But experts fear the stolen data could be used in phishing scams, where the thieves attempt to get more information from victims, like social security numbers or mother's maiden name, while posing as representatives from banks or stores. It's important to note that Target has offered free credit monitoring for a year to all of its customers in order to combat potential criminal use of data.

This recent data breach is one of the largest in US history. Second to it was the hacking of TJX (the parent company of TJ Maxx, Marshalls, and HomeGoods) in 2007 when data from over 45 million customers was stolen. In 2009, hundreds of millions of transactions were compromised when payment processing company Heartland Payment Systems was hacked. And since the Target incident, retailers Neiman Marcus and Michael's Arts & Crafts have also announced security problems.

Credit Cards Are Still the Safest Form of Payment, After Cash

Despite such high-profile data breaches, credit cards remain one of the safest ways to shop online and in stores—not necessarily because they are the most secure, but because they leave the shopper the least liable for any problems. The federal Truth in Lending Act limits consumer liability for fraudulent credit card purchases to $50 in stores, and $0 online. Some card providers even waive the $50 liability.

But debit cards are governed by a different federal law, the Electronic Fund Transfer Act. If a consumer reports the unauthorized activity within two days of discovering it, the liability is the same as a credit card: $50 in store, $0 online. However after 48 hours, the in-store liability shoots up to $500. And after 60 days, consumers may be fully responsible for the fraudulent charges.

Several payment alternatives exist, but all have drawbacks. PayPal boasts of data security and PCI (payment card industry) standard compliance. But its ambiguous regulatory status (not a bank or credit card company) sometimes makes it difficult to dispute transactions. And while a paper check might feel akin to paying in cash in terms of the likelihood of the information being lost during one of these wide-scale digital attacks, most retailers actually scan checks before depositing and electronically cache the information therein, which means your name, account number, and routing number might still be on file.

Tap-and-pay technologies have also been heralded as the future of digital payment options. The wireless-enabled chips appear in a number of credit and debit cards and on smartphones. Such NFC technologies allow users to pay for goods simply by taping their phone, card, or wallet on a scanner. But some security experts fear that putting even more sensitive information on a smartphone, and then transmitting it through an unsecured network, could decrease its security.

EMV Might Be the Future of Secure Payments

However there is one technology that may make American credit and debit cards safer. The US is one of the last industrialized nations not to utilize the EMV system for credit cards. Commonly known as "chip-and-PIN" in the UK, these cards do not use magnetic strips, but a tiny computer chip. The chips are harder to read and allow for multiple levels of encryption. A personal identification number (PIN) must be entered for all transactions thereby providing even more security.

In the aftermath of the recent security breaches, EMV is getting increased attention in the news, though retailers and card providers remain resistant to the high costs of installing new card readers and cards. Still, EMV likely would not have stopped the Target breach. Since hackers infiltrated the POS devices, they could have captured the personal information no matter how it was scanned.

Regardless of how you decide to pay for goods in-store and online, it's important to be diligent in your transactions. Be sure to keep a close watch on your financial statements and balances. Unless you want to carry around enough cash for all of your purchases—which brings its own kind of security risks—it pays to monitor your accounts with a careful eye.

Related DealNews Features:
Benjamin Glaser
Contributing Writer

Ben was Features Editor at DealNews from 2014 to 2017, when his shopping insights were highlighted by Good Morning America, Reuters, the Washington Post, and more. Though no longer in consumer news, Ben still loves getting a great deal (and writing about it!).
DealNews may be compensated by companies mentioned in this article. Please note that, although prices sometimes fluctuate or expire unexpectedly, all products and deals mentioned in this feature were available at the lowest total price we could find at the time of publication (unless otherwise specified).


Leave a comment!

or Register
The second paragraph ends with: "... hackers were able to by stealing vendor credentials." Grammar check!
Greg the Gruesome

You're right; I was wrong. My apologies.
Lindsay Sakraida (DealNews)
@Greg the Gruesome No, we do not have those numbers reversed.
Greg the Gruesome
>Point of Sale devices (credit and debit card readers)

That's incorrect. The device on which you swipe your card is separate and distinct from the POS. When the store "associate" scans the item you want to buy, it's the POS that the item info goes into. (Source: commenters.) Old fogeys like me may still refer to POS's as cash registers.

>Target initially confirmed that up to 40 million credit
>and debit card accounts had been compromised.

>Weeks later, Target also confirmed the theft of additional
>"Guest Information" for up to 70 million customers

You have those numbers reversed.

>Still, EMV likely would not have stopped the Target breach.

What is your source for this? The commenters at KrebsOnSecurity thought otherwise.

>Since hackers infiltrated the POS devices, they could have
>captured the personal information no matter how it was scanned.

Since you conflated the card reader and the POS, I think you're wrong about this.
While traveling overseas I have encountered some merchants who will not accept a credit card unless it contains a chip.