Posted by: Wendy Holmquist 01/03/2014
As we start off the New Year, I like to think about what can be done to make things better in 2014 for my family, my community, and my customers. Something that has come up repeatedly in the last few weeks relates to personal information security. There were pervasive stories in 2013 around personal information security breaches including the scandal at the NSA, a huge data breach at Adobe causing a cascade effect all over the internet due to users recycling user names and passwords, and most recently the exposure of 40 million credit cards at Target.
The credit card breach at Target over the holidays was the most disturbing to me personally. I am a huge Target fan and spend a lot of my time and money with the retailer. I also happen to have a Target Redcard that was impacted in the data breach, of which was unwisely tied to my personal banking account. Over a Christmas holidays, I was discussing the Target data breach with some friends and asked the same questions that I had asked myself in the days following the breach.
- Does this breach make you not want to shop at Target anymore? The answer from friends was “no way” and “I love Target, even if they don’t protect my personal information”.
- Should I cancel my Target Redcard? Probably not, because the 5% discount on the thousands of dollars spent with them each year adds personal value.
- Should I have my bank card reissued, and break the link between Target and my bank account? Maybe. Just monitor the account for now.
The answers to these questions show the indifference that we have in protecting our confidential personal information. We prioritize convenience and preference over our own personal information security.
An immediate question on the Target breach would be if they were in compliance with the Payment Card Industry Data Security Standard 2.0 (PCI DSS), which ensures the security of sensitive data, including how it is stored, processed or transmitted. It would be easy to assume that due to the breach, Target was not adhering to PCI standards. However, full PCI compliance could have failed to stop the breach as it has been labeled as “sophisticated” and is currently under investigation by the U.S. Secret Service and the Department of Justice. There is increased speculation that the data could have been taken at the point-of-sale (POS) and/or was an inside job, of which the current PCI standards probably would have offered inadequate protection anyway. The new PCI DSS 3.0 standards that took effect on January 1<sup>st</sup>, 2014 (but aren’t required to be implemented in June 30, 2015) may have stopped the Target data breach by requiring monitoring and regular inspection of POS devices in stores. Additionally, currently available technology for encryption upon card swipe would have controlled the data loss. It is my hope that more retailers will consider point-to-point encryption starting at swipe in 2014 based on the countless credit card breaches through POS devices over the last several years.
So what did I do about my Target credit card exposure problem? The solution became urgent a few days before New Year’s through a completely different credit card breach. I got a call from my credit card company, this time my preferred airline credit card, regarding a $4200 charge at a large retailer on the East Coast. At the same time that I was charging small purchases with it on the West Coast, someone on the East Coast was trying to use what appears to be a physically duplicated credit card for purchases on the East Coast. Knowing that I couldn’t be at two places at once, the credit card company declined the East Coast charges and contacted me immediately. I had to cancel this credit card for the second time in six months (my previous card number was stolen while I vacationing in Mexico), and have it reissued yet again. With this last credit card breach coming on unexpectedly and probably a result of someone compromising my credit card over the holidays, I decided that I needed to break the link between my Target Redcard and my bank account. I canceled my bank card and had it reissued with a new number, and called Target to remove the card linkage. Going forward, I will link my Target Redcard with my new credit card so that I have an extra layer of monitoring and protection.
Am I going to keep shopping at Target and continue to use my Target Redcard? Of course. I get great value out of both my Target purchases and my Target Redcard, and will continue to support them through their recent data breach. I hope that through this event they will step up their security measures and hire industry experts to become a leader in protecting customer information. I also am increasing my own personal security by having my new credit cards issued with EMV smart chips in them so that they cannot be easily duplicated should the numbers be compromised. With so many recent breaches of personal information by our trusted corporate and government partners, I encourage my friends, my community and my customers to review their own internal security measures in 2014 and take reasonable steps to protect critical assets.