In the weeks and months since the much-publicized Target hack, which exposed tens of millions of customer card records, I've had countless conversations about "What's that mean to me?" After having explained the impacts enough to my friends, family, coworkers and industry peers, I thought I would take a moment and put pen to paper.
But wait, after the cards were/are compromised, the banks reissue you a new card, they let you dispute any bad transactions and the merchants may offer you a discount to keep you coming back. So, no harm, no foul, right? Not so fast ...
This is not an article about Target. They're not even the latest victim in a never-ending series of attacks aimed at separating customers from their hard-earned money. The fact of the matter is, attackers will always find a way into systems where there's enough reward -- they will devote the resources to make it happen. One look at the anatomy of the attack at Target and you can see how determined they are to make things work to their advantage.
However, only a few cyber-thieves are capable of going to the extraordinary efforts to attack a Target-sized retailer. Unfortunately for us, there's much lower-hanging fruit in smaller businesses. Symantec's 2014 Internet Security Threat Report showed that 61 percent of all targeted attacks were aimed at small businesses with less than 2,500 employees, 41 percent were aimed at businesses with less than 500 employees, and 30 percent were aimed at businesses with less than 250 employees. The National Cyber Security Alliance also noted that 1 in 5 small businesses falls victim to cybercrime each year -- and of those, 60 percent go out of business within six months after the attack.
With constant attacks assured against businesses of all sizes and the resulting expenses to secure information systems, those costs have to be paid for somehow: they're factored into the costs of the goods sold by merchants to their customers. With industry-wide PCI compliance costs in the billions of dollars, that's a lot to pass along to us as consumers. A report from TSYS (with some good EMV-migration humor regarding projected dates tossed in) does a nice job showing the huge costs of protecting card data.
The card industry has done a magnificent job of downplaying the impact of fraud losses on the consumer, as born out by the questions from my relatives post-Target. As evidence, a fantastic all-on-one-page resource for fraud is from CardHub. Some highlights include:
· Credit card and debit card fraud resulted in losses amounting to $11.27 billion during 2012.
· In 2012, the U.S. accounted for 47.3 percent of the worldwide payment card fraud losses, but generated only 23.5 percent of total volume.
· Retailers incur $580.5 million in debit card fraud losses, and spend $6.47 billion annually on credit and debit card fraud prevention annually.
However, at the very beginning and even before presenting the incredibly high fraud numbers, CardHub says, "what consumers generally do not know is that they are shielded from liability for unauthorized transactions made with their credit cards via the combination of federal law issuer/card network policy." This statement is entirely true but unbelievably shortsighted.
With $11.27 billion in fraud and another $6.47 billion spent on fraud prevention (not much of a return on that investment) that means somehow, some way, the "system" must account for a total fraud cost of $17.74 billion. Nearly all of which will be passed on, in one way, shape, or form to you as a consumer. Think about that number for a moment - that's about $563 spent/lost for every second of every day of the year. The card industry has done a fantastic job of downplaying these incredible numbers because they want you to keep using your cards, and let's face it, we always will. But isn't it time to demand that the industry do a better job in "shielding" us from these losses?
I keep coming back to that number spent on fraud prevention: $6.47 billion spent just to lose $11.27 billion. How can anyone possibly justify those numbers as appropriate status quo? It's clear: we're not protecting the right thing in the right way. The industry has focused on protecting these pools of card data at rest, they're talking about EMV migration (more cost, I wonder who will pay for that, any guesses?), and they're still not looking in the right direction.
For all of the money spent on card systems and security, there is -- and always will be -- only one piece of the payment equation that knows absolutely if a transaction is good or bad: and that piece -- that person -- is you. So, since it's clear that you're paying for security that isn't even close to working, shouldn't you have a better say in how you're being protected?
The point of this article is that, even if you think you're not seeing money leaving your checking account due to fraud, you actually are. It's a huge cost born out in the increased costs of goods we consume at every point. It's time for us to demand more from our merchants and our banks to protect us better than they are today -- after all, we're paying for it.