The massive Target data security breach is costing banks and credit unions millions of dollars and increasing pressure on merchants and card issuers to change the way credit cards are swiped.
The National Retail Federation is calling for an immediate transition from magnetic-stripe cards to more-secure and advanced "PIN-and-chip" cards to better protect consumer data from theft, hacking and skimming.
The NRF says banks need to replace current credit and debit cards with cards that would store data in an embedded computer micro-chip and require the use of a personal identification number rather than a signature.
Current cards use easy-to-hack 1960s technology, the NRF said last month in a letter to Congress.
"For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN-and-chip card technology for customers in Europe and dozens of other markets," NRF president and chief executive officer Matthew Shay said in the letter sent to Senate Majority Leader Harry Reid, D-Nev., and House Speaker John Boehner, R-Ohio.
PIN-and-chip cards are widely used in more than 80 countries throughout Europe, Asia and Africa, the NRF said. The Smart Card Alliance says American Express, Discover, MasterCard and Visa have all announced roadmaps for moving to PIN-and-chip cards in the United States and some U.S. banks have already started issuing payment cards with the technology.
Credit card companies, however, say implementing the new cards isn't an easy process.
Charles Scharf, chief executive officer for Visa, said Thursday merchants and card issuers need to work together toward better data security standards and better payment security standards.
"Maintaining trust in the electronic payment systems is our highest priority and we are actively exploring new ways to enhance the safety and security of the payment system," Scharf told analysts Thursday on an earnings report conference call
He said card issuers can't implement the cards on their own. "We need merchants, acquirers and issuers to be supportive."
"There are an awful lot of terminals out there and awful lot of cards that have to be updated, and this has to be done in a way that does not disturb commerce," said Scharf in a transcript of the call.
"In 2011, we had announced a plan to migrate the U.S. to EMV technology through a liability shift beginning in October 2015, and we've reaffirmed these dates."
EMV is a trademark that stands for Europay, MasterCard and Visa, which are the companies that developed the card payment standard.
The Credit Union National Association said last month the Target data security breach has already cost U.S. credit unions $25 million to $30 million and that number was expected to rise as more financial institutions report their costs and as fraud losses are incurred down the road.
"Contrary to what some may think, these expenses will not be reimbursed to credit unions and their members by Target or other retailers," CUNA President and Chief Executive Officer Bill Cheney said in a statement. "Rather, credit unions must solely cover these costs of their card program administration, including in these circumstances of reacting to a merchant data breach."
A survey of 936 credit unions indicates the Target breach has cost credit unions an average of about $5.10 per card affected by the security lapse.
The credit union group said these costs most likely do not include any fraud losses, which are likely to occur later.
The majority of credit unions (77 percent) whose members were affected by the Target breach have already reissued debit or credit cards to their members.
Watch out for phishing emails that may come out of the data theft. The Better Business Bureau reminds consumers to "check before you click."
"Phishing emails may attempt to fool you into providing your credit card information or ask you to click on a link or open an attachment, which can download malware designed to steal your identity, the BBB said in a release. "Don't click on any email links or attachments unless you are absolutely certain the sender is authentic."
Murray Jennex, a San Diego State University management information systems professor, offers a few tips to help identify phishing emails.
"Phishing emails don't know your name, they will start with 'Dear Customer' or something like that," he told UPI in an email. "Additionally, phishing emails will be keyed to something you want, either money, a product, a job, etc., and the better ones will look really good and professional."
"Finally, phishing emails will always want you to either click on a link, download a file, or send in information."
In some cases, scammers may use a person's name correctly, which Jennex describes as "spear phishing," but legitimate companies will ask consumers to log into their account -- without providing a link -- or to call them directly using the number on the card.
"Bottom line -- never click on a link or download a unsolicited file," he said.