(Page 2 of 3)
During that time the customer's information flows through the network and is recorded, sometimes only briefly, on computers within the system controlled by payment processing companies. Retailers can store card numbers and expiration dates, but they are prohibited from storing more sensitive data such as the security codes printed on the backs of cards or other personal identification numbers.
Hackers have been known to snag account information as it passes through the network or pilfer it from databases where it's stored. Target says there is no indication that the three or four-digit security codes on the back of customer credit cards were stolen. That would make it hard to use stolen account information to buy from most Internet retail sites. But because the magnetic strips on cards in the U.S. are so easy to generate, thieves can simply reproduce them and issue fraudulent cards that look and feel like the real thing.
"That's where the real value to the fraudsters is," says Chris Bucolo, senior manager of security consulting at ControlScan, which helps merchants comply with card processing security standards.
Once thieves capture the card information, they check the type of account, balances and credit limits, and sell replicas on the Internet. A simple card with a low balance and limited customer information can go for $3. A no-limit "black" card with the security number printed on the back of the card can go for $1,000, according to Al Pascual, a senior analyst at Javelin Strategy and Research, a security risk and fraud consulting firm.
To be sure, thieves can nab and sell card data from networks processing cards with digital chips, too, but they wouldn't be able to create fraudulent cards.
Credit card companies in the U.S. have a plan to replace magnetic strips with digital chips by the fall of 2015. But retailers worry the card companies won't go far enough. They want cards to have a chip, but they also want each transaction to require a personal identification number, or PIN, instead of a signature.
"Everyone knows that the signature is a useless authentication device," says Duncan.
Duncan, who represents retailers, says stores have to pay more -- and banks make more -- on transactions that require signatures because there are only a few of the older networks that process them, and therefore less price competition. There are several companies that process PIN transactions for debit cards, and they tend to charge lower fees to stores. (continued...)
© 2014 Associated Press under contract with YellowBrix. All rights reserved.