The Risks Of Credit And Debit Cards And How To Safeguard Consumers

MR. DIANE REHM

10:06:53
Thanks for joining us. I'm Diane Rehm. Credit card experts say small-scale data security breaches are common. The one experienced by Target last month was notable mostly for the size of the theft. About 40 million credit and debit card records were stolen from that retailer. Neiman Marcus also revealed a significant breach.

MS. DIANE REHM

10:07:18
Here in the studio to talk about safeguarding Americans' credit and debit card data: Doug Johnson of the American Bankers Association, and Shane Sims of PricewaterhouseCoopers, from an NPR studio in New York, Robin Sidel of the Wall Street Journal, and, by phone from Bella Vista, Ark., Mark Horwedel of the Merchant Advisory Group. I'm sure many of you have your own questions. Give us a call, 800-433-8850. Send us your email to drshow@wamu.org. Follow us on Facebook or send us a tweet. Welcome to all of you.

MR. DOUG JOHNSON

10:08:09
Thank you.

MR. SHANE SIMS

10:08:10
Thank you, Diane.

MR. MARK HORWEDEL

10:08:11
Thanks for having us on today. Appreciate it.

MS. ROBIN SIDEL

10:08:12
Hello.

REHM

10:08:13
And, Robin, if I could start with you, tell us what we know so far about these data breaches that occurred at Target and Neiman Marcus.

SIDEL

10:08:26
Well, we don't know that much about what happened at Neiman Marcus. They haven't really released a lot of information. We know a lot more about Target. And there was malicious software known as malware that got into their system. And that's where the bad guys got in and pulled out the data from credit card and debit card customers. And then the company also revealed that there was a breach of other data as well, email addresses, regular addresses and names that was separate from, actually, the credit card incursion.

REHM

10:09:01
As I understand it, the Neiman Marcus breach occurred more than a month ago. How come we're just learning about it?

SIDEL

10:09:13
Well, I think that retailers often don't know exactly how to handle this. I mean, first of all, it takes a while for them to figure out what has gone on. And then they don't really know the extent of it. So there's always this internal battle at a company about when you publicly disclose something and even if you need to publicly disclose something because there are a lot of these breaches that happen that you and I never know about.

REHM

10:09:39
Robin Sidel of the Wall Street Journal. Turning to you, Shane Sims, how does this happen? At what point? Explain to us what it is that occurs to create the theft.

SIMS

10:09:57
So what happens is these criminals from all over the world will target an organization. And they'll go through a multi-step process to accomplish their objectives, which in this case is the theft of payment card information.

REHM

10:10:11
What do you mean a multi-step process?

SIMS

10:10:15
So step one for them will be to do some reconnaissance of systems that are used on the Internet by the Target organization. So whoever they are targeting to steal the information from, they're going to understand that their attack service looks like.

REHM

10:10:30
How long does that normally take?

SIMS

10:10:33
I would say that takes days to weeks.

REHM

10:10:37
OK.

SIMS

10:10:37
To really establish what the attack service looks like. And then once they find a vulnerability with those systems, they will exploit that vulnerability and then have access to the target network.

REHM

10:10:50
So explain exactly where the theft occurs and how.

SIMS

10:10:56
Yeah. So once they achieve access to the network, they begin to explore the inside of the infrastructure of the organization they've targeted. And they will look for systems that have the information they want. And a lot of times -- and in the case that we're dealing with here -- the point-of-sale systems contain the information that the attackers are after. So they will actually navigate to those systems and install malwares Robin mentioned on those systems to get the information.

REHM

10:11:28
Now, I gather there's no way for a company to know that somebody has even targeted it before the thefts begin.

SIMS

10:11:42
What we typically see is the criminals get into the environment, and they're inside the network for days to weeks trying to understand where the data is and establishing their foothold. And the organizations do not know this activity is going on.

REHM

10:11:58
I gather that you were a special agent for the FBI for 10 years, focusing on cybercrime, so you've seen this happen many times.

SIMS

10:12:11
I have. I've been involved in cybercrime since it began in the '90s. And I've had an interesting seat to witness how criminals have evolved over time. And I think what we're seeing here are very organized groups. They're very sophisticated. They understand how companies secure their information. And they work very hard to plan and develop ways to circumvent that security.

REHM

10:12:34
Now, what happens once they glean this information? How do they then use it?

SIMS

10:12:44
Well, they use it in a variety of ways. So we often see that the theft of credit card information or payment card information in general is then sold on the black market and on the Internet. And there's value to each unique account number in all the data that would be contained on the mag stripe, the magnetic strip on the back of the credit card or debit card. So these criminals can actually profit from selling the data that they've stolen. Or they can use it themselves to then commit various frauds, like credit card fraud.

REHM

10:13:14
Shane Sims of PricewaterhouseCoopers. And now to you, Doug Johnson of the American Bankers Association. If your credit or debit number is stolen without your knowledge and somebody makes a purchase, what's the liability to the consumer and to the bank?

JOHNSON

10:13:42
Well, the liability to the consumer is really zero in most cases because the bank will reimburse.

REHM

10:13:50
If it's a credit card purchase.

JOHNSON

10:13:52
Or if it's a debit card purchase. I think the difference is, is that, to the extent that it's a debit card purchase, the transaction may actually end up on the account and the customer may not be aware of it. And so they may end up having some other transactions and may overdraft their account based upon the fact that they were not aware those transactions occurred. That's the difference. If there's fraud on the account, regardless whether or not it's debit or credit, essentially the customer will be made whole and reimbursed by the financial institution.

REHM

10:14:21
But I gather you've got to be responsible for notifying the bank pretty quickly.

JOHNSON

10:14:29
Absolutely. You should always be evaluating your account, not just your account statement but also your online account because that's where you're going to see the unauthorized transaction most quickly. Don't wait for your monthly statement. But if you do wait for your monthly statement, you still do have 30 days to make that -- to the extent that it's a transaction that wasn't caused by the fact that you lost a card. If you've lost your card, immediately contact your financial institution because you only have several days to be able to do that, to the extent that you know the card was lost.

REHM

10:15:02
Is it better to use a credit card or a debit card?

JOHNSON

10:15:07
Well, every customer is going to have their own preference. But I think that clearly, as I just described, there is some additional potential consumer pain when you're talking about a debit card because there may be that unauthorized transaction on the account, you may not be aware of it, and because of that, you may end up overdrafting your account.

JOHNSON

10:15:26
But to the extent that you're someone that evaluates your account on a continual basis -- and that's what we really recommend -- and you see that transaction immediately, you can refute that transaction, and then it won't cause you any particular harm on the debit side.

REHM

10:15:44
Shane Sims, Forbes posted an article on its website yesterday titled, "Why Even North Korea Outpaces the U.S. in Credit Card Security." Talk about the so-called EMV cards that are available in Europe and even in North Korea and why we don't have those here.

SIMS

10:16:13
I wish I had an answer to that question. And Doug may have one for us, but, yeah, the Chip and PIN, as it's referred to on these cards that are being used in Europe, just gives the consumer an extra layer of protection. I think you can call it multi-factor authentication as a way to describe it. So when you execute the transaction, you have to have the chip that's on the card present for the transaction.

SIMS

10:16:38
And the consumer has to enter a PIN. So there's two factors there, and it makes it more difficult if the criminals were to actually steal the credit card information to then actually commit the credit card fraud.

REHM

10:16:50
So from your view, Doug, at the American Bankers Association, why is it that we don't all have those EMV cards, providing at least one more layer of security?

JOHNSON

10:17:08
Well, first of all, Diane, in our country, we didn't legislate it. And I think that's the first piece. Secondly, we have a large economy. We've got thousands of financial institutions. I think, going forward, we both, as bankers and as retailers, have an obligation to move as swiftly as we can toward EMV, to put that other layer of security in there. And I think that, yeah, there's expenditures that are going to have to be made on both sides. And I think that's what we need to do.

REHM

10:17:33
Mark Horwedel of the Merchant Advisory Group, would you like to see that EMV technology in place as soon as possible?

HORWEDEL

10:17:46
Yes. I think that I would add that the current plans to move to EMV in the U.S. need to be supplemented some additional steps that so far are not a part of the EMV road maps that major card networks have focused on. So we want to see a holistic approach that includes a number of other steps as well.

HORWEDEL

10:18:14
And I think, as Mr. Sims pointed out, one of the foremost steps is that U.S. consumers should be equipped with a PIN, whether we're talking about a debit card or a credit card, so that, again, I think, as he said, it's not just about having something that you're carrying with you, a card or some other device, but you also have something that you have to know a PIN.

REHM

10:18:38
All right. Mark Horwedel of the Merchant Advisory Group. Short break. More on that when we come back.

REHM

10:20:00
And welcome back. We're talking about credit card theft, the big data theft that occurred at Target during the Christmas holidays. And now we have learned that Neiman Marcus had a breach of security as well. Doug Johnson is here in the studio. He's with the American Bankers Association. Shane Sims is a partner at PricewaterhouseCoopers.

REHM

10:20:34
Robin Sidel is on the line with us. She's with The Wall Street Journal covering the credit card industry. And by phone from Bella Vista, Ark., Mark Horwedel of the Merchant Advisory Group. Mark, I want to come back to you. You were telling us that you feel that there have to be some additional steps taken in addition to that chip, such as...

HORWEDEL

10:21:10
Requiring a personal identification number or PIN on every transaction, that's been the rule throughout most of the rest of the world most recently. In Canada, when they converted to EMV, while they had PINs on all their debit cards prior to the conversion, they added PINs to all their credit cards as well. And the merchants feel very strongly that that step needs to be taken in addition to those that have been outlined by the card brands so far in order to more thoroughly protect the U.S. consumers.

REHM

10:21:49
Robin, I wonder if you would talk about the timeline for widespread adoption of this EMV technology here in the U.S.

SIDEL

10:22:02
Well, as of -- some rules came out from Visa and MasterCard a couple of years ago. And as of 2015, the liability will shift to merchants. Right now, if there's fraud, the banks pick up the tab. And by 2015, that liability will shift to merchants. But this is a battle that has been going on for years. And it bubbles up and then calms down. And obviously it's situations like this where there's a very public breach that it really bubbles up and people start talking about it again. But the credit card industry and the merchants have been fighting over this issue for years.

REHM

10:22:39
So, Mark, in your view, is that 2015 deadline on the shift of responsibility from the banks to the merchants going to speed up the process?

HORWEDEL

10:22:56
It'll speed up the process. It's an impossible date to make. Many merchants simply cannot make that date. There aren't even enough resources, frankly, at...

REHM

10:23:07
What resources are necessary? Explain.

HORWEDEL

10:23:13
Well, the resources -- I was about to refer to the resources even at Visa and MasterCard and the processing -- third-party processors that do business with the merchants in the U.S. to thoroughly test and certify the entire merchant community in the U.S. before that date.

REHM

10:23:30
I don't understand. I wonder, Shane, if you would explain.

SIMS

10:23:40
I'm not sure actually. What we're dealing with here is a crime wave that has evolved over the last decade. And it's going to get worse over the next 10 years. It's not going to slow down. We have to do something. We need to step up the protection of the consumer. And we need to help organizations in the private sector help protect their networks and where the information exists because this crime wave is really going to get worse.

REHM

10:24:05
Doug Johnson, what is the hardware and the software that need to go into place to create a safer use of the credit card?

JOHNSON

10:24:20
Well, first of all, on the card itself that the banks issue, there will be a chip on that card. And...

REHM

10:24:27
Not until 2015?

JOHNSON

10:24:30
Well, some institutions -- an increasing number of institutions, they're already deploying the chip on the card.

REHM

10:24:37
Who?

JOHNSON

10:24:38
Well, Bank of America, for one, has the card. There's a number of other institutions and some credit unions that have the card deployed as well. And you'll see an increasing number of those institutions over time doing that. And institutions also have the responsibility by fall of 2015 to put EMV on their ATMs. And so that will actually protect the ATM because that's where there's a great vulnerability to bank customers because you can do a direct cash out as opposed to having to buy merchandise. And so that's another piece of protection that I think is very important.

REHM

10:25:11
When you say a direct cash out, explain that.

JOHNSON

10:25:15
So in -- let's use the Target breach as an example. If, in fact, the PIN was compromised and not encrypted or decrypted so the criminal has essentially the account number and the PIN, well, then essentially that criminal can go to an ATM -- any ATM and essentially have access to that individual's account. And so they don't have to go through that process of having to buy merchandise and fence merchandise or do things of that nature, which sometimes happens on the criminal side.

JOHNSON

10:25:49
So that's why as part of this movement toward EMV, it's important to also protect the ATM environment because a breach at a retailer can also make the customer vulnerable at that ATM.

REHM

10:26:00
Robin, talk about the politics behind all this. What is the delay?

SIDEL

10:26:09
Well, it's a real chicken-and-egg scenario. And the banks and the merchants need each other, but they also fight over a lot of things in this industry. And it's just been going on for years. The banks -- it's expensive to issue these cards for the banks, and so they don't want to issue the cards until the merchants have the hardware and software in place. And the merchants say they don't want to turn the switch and get this stuff in place because nobody has the cards. So it's a classic chicken-and-egg situation. And they've been fighting over it, as I said, for a very long time.

REHM

10:26:48
Is there any estimate on how much the adoption of the EMV card could reduce the risk of fraud?

SIDEL

10:27:00
I think the view in the industry is that it would be significant. I was speaking with a senior executive in the credit card industry yesterday. And the problem is, as he said, everybody knows that the U.S. is more vulnerable than other parts of the world, so the fraudsters are coming to the U.S. And so if you make it an even playing field, that's going to be less likely to happen. The U.S. won't be the only target. And, look, nobody knows if the chip and PIN is going to be the salvation that people think it is. I mean, the bad guys are pretty smart, and they keep coming up with new ways to infiltrate the system.

REHM

10:27:37
So right now, the question is, who's going to bear the cost of changing the system, Robin?

SIDEL

10:27:49
They both will. They both have to. I mean, you know, the banks have started issuing some of these chip and PIN cards but a very, very small amount. And they're actually only really issuing them to people who travel frequently abroad. So if you have a travel credit card or one that's an airline credit card perhaps, that signals you travel a lot. And so they're issuing them to those people -- it's a small group -- to make their life easier when they go abroad. But it's millions and millions of dollars for both the banking industry and the merchant industry.

REHM

10:28:22
Doug Johnson, you already have a credit card with that chip installed. Had you used that card at Target, would you have been protected?

JOHNSON

10:28:37
Well, we don't know at this particular juncture because there's some question as to whether or not the PIN information, when it was compromised, was encrypted which would make it very difficult for someone to decrypt or whether or not it was plain text, which would allow someone to have that PIN information and then be able to essentially, you know, use that information. I think that what EMV does is it makes a random number associated with the transaction.

JOHNSON

10:29:11
And so if, for instance, Target had their point-of-sale device where you swipe -- EMV enabled and you swipe it, that transaction has a unique number associated with it. And that card has a unique number associated with it for that transaction, so you can't use -- you can't duplicate that because the chip is what's making that random number essentially. So there is an extra level of protection, Diane, that would've existed to the extent that EMV was in place both at the point of sale as well as on the card.

JOHNSON

10:29:43
Now, if the card was enabled and the point-of-sale device wasn't, well, then you don't have full protection. And that's why when we fully implement this on a voluntary basis toward the end of next year, if the retailer does not put the point-of-sale device in place as EMV enabled, they have the liability.

REHM

10:30:02
I see. Mark, you might just talk about how retailers who are -- who had their security breached, such as Target and Neiman Marcus, how does this affect them?

HORWEDEL

10:30:20
It creates a lot of problems. It's probably more reputational damage than anything else because consuming public is concerned about the security surrounding the use of their cards. And so it's -- you know, it's a very costly event for merchants. I would suggest much more costly than from anybody else's perspective associated with payments.

REHM

10:30:47
Here's an email from Russ in Punta Gorda, Fla. "Please ask why the people that have credit cards and debit cards in the U.S. should not be given the chip cards. Everyone in Europe has. Last year, I was in a restaurant in France where the card reader would not take my swipeable card, so I had to pay cash and go to the place down the street where my magnetic strip could be read to replenish my cash." So, Robin, how long have these EMV cards been available in Europe and elsewhere?

SIDEL

10:31:38
For a long time, for years, and just increasingly. It's usually kind of a staggered process where they adopt them country by country. And Canada has adopted it in the past couple of years as well. And that's -- the person who wrote in, I mean, that is an issue, and that is why, I guess, his credit card company -- maybe they didn't travel often enough to kind of be in that group that gets one of these cards from his U.S. credit card company.

REHM

10:32:09
Do you want to comment, Shane?

SIMS

10:32:13
Yeah, I totally can sympathize with the person that posted that question. It's happened to me, too, traveling overseas. And it's very frustrating for consumers. And it's very concerning for consumers when these merchants have these breaches, even though, as we've learned here today from Robin and Doug and Mark, that there's really no impact -- no financial impact to the consumer. That doesn't change the fear factor. And it's really, really important that we begin to do something, whether it's the chip and PIN and/or improve security on the backend of these merchant environments.

REHM

10:32:47
Well, indeed, as Doug has pointed out, these folks who've had their security compromised could, in fact, have their ATMs compromised as well. So whether in fact they're really hurt remains to be seen. And you're listening to "The Diane Rehm Show." I'm going to open the phones, 800-433-8850. First we'll go to, let's see, David in Lebanon, Ohio. You're on the air.

DAVID

10:33:32
Thank you, Diane. Great show today so far.

REHM

10:33:34
Thank you.

DAVID

10:33:36
I'm not terribly objective because I work for an insurance company that insures credit unions against losses due to credit and debit card, just like we're talking about right here. And I know we've weighed in quite a bit on how this has impacted the consumer and the merchant to a degree. But what nobody really talks about -- and it always irks me -- is that the credit card brands themselves, Visa and MasterCard, have almost no downside on this, almost no responsibility when it comes -- monetarily when it comes to these losses.

DAVID

10:34:21
And that's always irked me that they just keep pushing to make it easier and easier for consumers to use their cards to the detriment of the merchants and the financial institution.

REHM

10:34:34
That's interesting. How do you respond, Doug Johnson?

JOHNSON

10:34:38
Well, the networks themselves are responsible for putting together the operating rules associated with the use of the cards. And so I agree that the liability isn't there. I think their responsibility is to really ensure that there's a proper level of information security requirements for merchants and for banks. And that's what's called the payment card industry data security standard. But I think that, you know, from the network's perspective, that's really their job is to try to build a consistent set of security requirements for the network and to ensure that the network works seamlessly.

REHM

10:35:13
Mark, do you want to comment?

HORWEDEL

10:35:16
I think that they do suffer damage from the standpoint of the impact on their brands and, you know, the views of consumers about using their cards. I would say, however, that when these breaches occur, merchants pay a tremendous amount of money to the brands by way of PCI fines. And so, you know, indirectly they profit from this.

REHM

10:35:39
All right. Thanks for that. And let's go to Grants Pass, Ore. Marcus, you're on the air.

MARCUS

10:35:49
Yes. Hi, Diane.

REHM

10:35:49
Hi.

MARCUS

10:35:50
Just wanted to say how much we love your show. I listen to it every day on the way to work.

REHM

10:35:54
Thank you.

MARCUS

10:35:55
In fact, I'm on the way to work right now to the hospital.

REHM

10:35:57
Good.

MARCUS

10:35:57
And, you know, as a frequent traveler to Europe -- we have a home in Switzerland. My dad immigrated here to the United States many years ago. And we still have family. We go there quite often, at least once a year, sometimes twice a year. And, you know, it gets really, really frustrating now when you have to go to the grocery store, and you can't buy things in the grocery store because your card doesn't get read anymore.

MARCUS

10:36:22
And the United States has made it very, very difficult for American citizens to get bank accounts in Europe. And so now you have to take cash. And, you know, traveler's checks are Stone Age, so...

REHM

10:36:35
All right. So what you want to know is how you can get a credit card that would work there, right?

MARCUS

10:36:43
Exactly, and, you know, why we can't get them. I know since I've been on hold waiting a little while, you know, you've discussed that, but it's just another...

REHM

10:36:49
OK. All right. Let's see what the response is, Doug Johnson.

JOHNSON

10:36:55
Well, I think that the European traveler was the first one to get the cards among United States citizens. And I agree with their frustration. I think that clearly we have an imperative to try to employ additional cards as fast as we possibly can. That's...

REHM

10:37:12
So can one simply apply for a card to...

JOHNSON

10:37:16
In many financial institutions. You can at your financial institution, yes.

REHM

10:37:19
All right. We're going to take a short break here. When we come back we'll hear more, take your calls. Stay with us.

REHM

10:39:57
And we're back discussing the thefts that have occurred through use of credit cards, debit cards. Here's an email from Pete, this one for you, Shane Sims. "How do the merchants detect a theft event?"

SIMS

10:40:18
There's many ways they could detect it. So if you go back to my discussion earlier about there's these different steps or different phases to a cyberattack, the first step is reconnaissance. So, you know, the criminals are looking for systems and looking for security holds on systems. That's a detection point. Once the criminals get access by exploiting one of these security holds, they install malware or this malicious software on the systems.

SIMS

10:40:43
That's a detection point. When they actually collect the payment card information and transfer it out of the environment to a system on the Internet that the criminals control, that's a detection point.

REHM

10:40:54
But somebody's got to be watching at all those points.

SIMS

10:40:58
It's very difficult. And the moral of the story is, most of the time detection comes by way of a third party. So either...

REHM

10:41:04
What does that mean?

SIMS

10:41:05
Either law enforcement notifies the merchant or the banks are triangulating all this credit card fraud back to a common point of purchase. And then they notify the merchant.

REHM

10:41:17
So it's after the fact.

SIMS

10:41:19
After the fact.

REHM

10:41:21
Almost everything is after the fact, Doug.

JOHNSON

10:41:25
I think it is true that financial institutions spend a lot of time talking amongst themselves to find that common point of compromise. We see authorized transactions that are reported to us by our customers. Those transactions obviously wouldn't have been at the store that was compromised. And so it's trying to find exactly what that common point of failure is. And so I think that's right that we end up, in a lot of cases, informing the retailer that we found that.

REHM

10:41:53
All right. And here's another from Michael in San Antonio. "Please discuss the likelihood that these breaches are inside jobs conducted or facilitated by the retailer's employees. And why don't banks and retailers do more to protect consumer information?" What about the possibility of an inside job, Shane?

SIMS

10:42:22
That's a very interesting question. And PricewaterhouseCoopers does a global information security study every year. And over the last three or four years we've seen this insider threat concept rise up in the study as a concern. And when we're doing our investigations of these breaches, we consider that as an element of the crime.

SIMS

10:42:42
You know, did an insider who had knowledge of how that network operates, were they colluding with the outside criminal organization? We have had some situations where insiders were at risk of colluding. Most of the time, from our perspective, though, all of these jobs are committed by an external threat actor.

REHM

10:43:03
And in the case of Target, is your assumption or is the evidence thus far leading to someone outside the United States?

SIMS

10:43:16
My knowledge of that incident is strictly through the news media. And from what I've read and what I've seen it would indicate that it's an outside job.

REHM

10:43:24
Robin, what do you know?

SIDEL

10:43:27
Well, I think one of the other potential risks in these kinds of situations are outside vendors. And companies like Target use a lot of outside vendors for all different things with their systems. And...

REHM

10:43:39
Give me an example. Give me an example.

SIDEL

10:43:42
Well, a vendor who will help safeguard or monitor or update their point-of-sale device. They use outside companies for a lot of these different things, so that kind of broadens the potential places where this incursion could've occurred. And so that's one thing I think people in the industry are very concerned about, not only it being somebody from the inside who had that access, but there are a lot of people from the outside who also can have that access and, you know, act in cahoots with an organized group.

REHM

10:44:19
Mark Horwedel, Congress has called for an inquiry into the Target data breach. Do you expect any widespread changes to be made?

HORWEDEL

10:44:35
You know, it's hard to know until, you know, we actually get into the middle of if there is in fact a committee hearing on the subject. I suspect that, you know, something like that might well lead to the discovery that there are other places where we can go to make the payment environment safer, many of which frankly we've advocated as a part of the conversion to EMV.

REHM

10:45:04
And, Doug Johnson, what could lawmakers do to make this process more safe?

JOHNSON

10:45:14
Well, I think that a lot of the discussion is around trying to build a national data breach reporting standard because one of the things which is currently true in our environment is there's a variety of state laws that companies have to abide by and financial institutions have to abide by in terms of breach notification.

JOHNSON

10:45:32
And I think there needs to be some clarity there so we have swifter notification of those breaches. Clearly I think that there's a necessity also to ensure that all the partners within the payment system have a comparable level of security. That's what the payment card industry data security standard is supposed to accomplish.

JOHNSON

10:45:51
But I think that one of the things that we see within the financial services environment right now is that there's a lot of attention being paid to those third parties that we've been discussing here on this call. And I think that there could be some value in having retailers have that same level of attention to their partners that are part of the payment process.

REHM

10:46:13
So what if Congress passed a law saying that every credit card issued should have this EMV chip in it and ordered that by say the end of 2015, every retailer had to have that mechanism in place to read that card here in the U.S.? What might congress be able to do there?

JOHNSON

10:46:47
Well, if Congress was to put that in place, it would be actually frankly very similar to what the networks are trying to do on a voluntary basis through their guidelines. Institutions and retailers are not going to be specifically required to have EMV in place by the fall of 2015. But if they don't they have to incur additional liabilities associated with those transactions. Right now...

REHM

10:47:13
But of course they'll be insured, so they'll put it off onto the insurance companies.

JOHNSON

10:47:18
And the insurance companies will make some determination as to whether or not there was any negligence associated with that particular breach. So you get into that process as well.

REHM

10:47:29
All right. Let's take a call in Richardson, Texas. Hi Seena, you're on the air.

SEENA

10:47:37
Hi, Diane. Thank you for taking my call.

REHM

10:47:39
Sure.

SEENA

10:47:41
I actually have a second question that's come up while listening to your show. The reason I called was in regards to the financial benefit. Obviously this type of crime is done due to somebody trying to make money. And my question is, how much money is made by reissuing the credit cards and all of the hassle that everybody has to go through to correct the situation?

REHM

10:48:13
I'm not sure I understand the question.

SEENA

10:48:18
Well, when this happens and -- like, I myself am in a situation that I can't use my card for much of anything at this point. I have to wait for...

REHM

10:48:30
Why?

SEENA

10:48:31
I have to wait for a new card to be issued to me.

REHM

10:48:33
Usually they issue cards within 24 hours.

SEENA

10:48:40
Well, mine's taken over a week, and I know a lot of people, it's taken over a week at this point because there's so many that have to be reissued. What is the financial benefit -- who makes the money by having to reissue these cards?

REHM

10:48:55
Doug Johnson.

JOHNSON

10:48:56
Well, banks certainly don't make money by reissuing cards. There's essentially a substantial cost associated with the reissuing of those cards. It could be as much as $10 a card when you put in all the various costs associated with that. So I would certainly not call it a money-making operation. It's actually something that's very costly to financial institutions.

REHM

10:49:17
Robin, from your point of view, what can consumers do to protect themselves against fraud?

SIDEL

10:49:27
Well, I think we've discussed that a bit. And, you know, obviously you really need to pay attention to your statements, to your online account, looking at your transactions. And while debit cards are also zero liability, if someone takes that money out, as we discussed before, that money can be gone and it could take a lot longer time to replace it. So a credit card, if you didn't make that purchase, you don't have to pay. But a debit card, that money's already gone.

REHM

10:49:58
OK. What about all the online apps and shopping, Shane Sims?

SIMS

10:50:05
Yes. You know, as businesses continue to grow and expand and try to leverage the Internet to the best of their ability, it extends their attack surface. So the attack surface gets bigger. And as mobile apps go out...

REHM

10:50:18
You mean, if you have an app on your cell phone.

SIMS

10:50:22
Exactly. So that's just another point where criminals are looking to exploit so they can get access to the consumer's information.

REHM

10:50:29
But it's interesting because those apps can offer real economic savings to a consumer. So that's why they're so popular.

SIMS

10:50:42
No doubt. I mean, I'm a fan myself as a consumer. And I think the moral of the story here for businesses and merchants is that security has to be baked into the business strategy. So as you expand your business and think about your business in a creative way, security has to be a part of that discussion.

REHM

10:51:03
Well, I'm not sure where you're leaving me. If someone shops at a particular grocery store, for example, Safeway here in the Washington area, Safeway has an app that offers greater savings to individuals. Are you saying that it's Safeway's obligation to put in more security with that app than normally they'd have just at the point of purchase?

SIMS

10:51:42
Yes. Securing the information that you're collecting from a consumer is an obligation of the merchant. So -- and I think this goes back to a point that came up earlier that we might've lost here a little bit, is that we've talked about payment card information being stolen. But a lot of consumers are very, very concerned and worried that if criminals have access to these merchant networks, that their personal identities may be at risk, too. And I think in the example that you just mentioned, that's a very, very true risk that consumers have.

REHM

10:52:12
And of course Edward Snowden has shown all of us that nothing is safe. Would you agree?

SIMS

10:52:22
No doubt. He -- that situation has brought the insider threat angle, you know, back into the forefront of senior executives.

REHM

10:52:30
Doug Johnson.

JOHNSON

10:52:31
I just think it prudent for individuals to just use every tool they have available to protect themselves.

REHM

10:52:36
Are you saying, don't use apps?

JOHNSON

10:52:39
No. I'm saying, look very carefully at your transaction activity.

REHM

10:52:43
But that's after the fact.

JOHNSON

10:52:46
And it is after the fact, but it shouldn't stop you from making the transactions, because by and large 99 percent of those transactions are -- and more than that are going to be perfectly fine. That's why you monitor accounts on an ongoing basis. There's risk everywhere in the world. This is a very real risk. It's a risk that's going to continue to increase.

REHM

10:53:05
Doug Johnson of the American Bankers Association, and you're listening to "The Diane Rehm Show." Let's go to Jordan in Charlotte, N.C. You're on the air.

JORDAN

10:53:21
Hey, thanks, Diane.

REHM

10:53:21
Sure.

JORDAN

10:53:22
I appreciate you talking about this. There's one thing I haven't heard the whole time since the Target breaches, who the culprit is. And with, you know, the focus on technology being the first defendant against our, you know, financial safety, who did this and how much money did they make off of it? And isn't there a vested interest in us finding out, you know, exactly who this culprit was?

REHM

10:53:49
Sure. Shane, how far along are we in that knowledge?

SIMS

10:53:54
Yeah, that process takes a very long time for law enforcement to understand, you know, the actual people, the human beings that executed this attack. It could take months to years. And one of the advantages of cyber crime itself is that you can be anywhere on Earth. You know, you could operate from a country that makes it very difficult for U.S. law enforcement and U.S. agencies to cooperate with those countries and bring people to justice. So it's a very, very difficult challenge, but I know that the law enforcement agencies here in this country are working very hard to make that happen.

REHM

10:54:26
Robin, do we have any idea how much money is involved?

SIDEL

10:54:33
We don't at this point. There's a lot of rumors and speculations that these -- some cards have already gone onto the black market. Obviously it's the black market. It's very hard to track, but there's certainly the sense that this is real. JPMorgan Chase was very concerned about the prospect of fraud.

SIDEL

10:54:55
And so they reissued 2 million debit cards, which is very unusual for a bank to do, because they usually don't like to reissue cards until there's real evidence of fraud. And sometimes they would rather take the risk of fraud than to pay for reissuing cards. But it was enough of a concern that a big bank like Chase reissued 2 million cards. And that's really saying a lot.

REHM

10:55:17
Doug.

JOHNSON

10:55:18
Yes, it is saying a lot. I think that institutions don't want to inconvenience their customers to the extent that they feel they can monitor those accounts and look for unusual activity. And so in this case, obviously because of the very breadth of the breach, different institutions took a very aggressive approach, or the approach that made the most sense for them. But when you have on the order of 10 percent of your client base essentially impacted by this, that's pretty serious business.

REHM

10:55:44
And, Mark, what about the retailers involved? How much do you figure they will lose in dollars, or is it simply reputation?

HORWEDEL

10:55:59
No. It's -- there are severe fines and penalties that are leveled on the retailers that are involved in this that this happens to. And the reputational problems go on top of that.

REHM

10:56:16
All right. So last words, look at your statements every single month very carefully. Use your credit cards thoughtfully. But there's no way you're going to know at point-of-sale whether your information is being compromised. Is that a fair statement?

SIMS

10:56:43
That's a very correct statement, Diane.

REHM

10:56:45
All right. Shane Sims of PricewaterhouseCoopers, Doug Johnson of the American Bankers Association, Robin Sidel of the Wall Street Journal and Mark Horwedel of the Merchant Advisory Group, thank you all so much. And thanks for listening, all. I'm Diane Rehm.
Transcripts of WAMU programs are available for personal use. Transcripts are provided "As Is" without warranties of any kind, either express or implied. WAMU does not warrant that the transcript is error-free. For all WAMU programs, the broadcast audio should be considered the authoritative version. Transcripts are owned by WAMU 88.5 FM American University Radio and are protected by laws in both the United States and international law. You may not sell or modify transcripts or reproduce, display, distribute, or otherwise use the transcript, in whole or in part, in any way for any public or commercial purpose without the express written permission of WAMU. All requests for uses beyond personal and noncommercial use should be referred to (202) 885-1200.

Our address has changed!

The Diane Rehm Show is produced by member-supported WAMU 88.5 in Washington DC.