Poneman gives the additional example of a defense contractor client that had proprietary information stolen by hackers. "Getting into this defense contractor's system, on a scale of 1 to 10, is 100," he says. Instead, hackers focused on smaller companies that worked for the contractor and hacked their way in that way.
That's why employees and vendors are important. "You have to be a little less trusting," says Poneman. The culprit here was a janitorial service hired by the small business that worked with the defense contractor. Conduct the proper background checks — not just for your employees, but any vendors you hire to help your business.
Stolen Data Ends Up On Black Market
Of the 40 million cards stolen, anywhere from 1 to 3 million were successfully sold on the black market. Many were used not in physical brick-and-mortar stores but, rather, on online outlets selling high-end goods such as laptops, watches or jewelry that could easily be resold, says Liron Damri, COO of Forter, an Israeli-based firm that offers fraud protection to small and medium sized online merchants.
"Fraudsters won't necessarily to back to eBay or Target or Neiman Marcus and try to use those credit cards in those systems because their systems are very strong," he says. "They will try to take advantage of those medium-sized merchants and get money out of them."
Fraud charges work differently for online companies vs. brick-and-mortar stores. "If somebody steals a credit card and tries to make a transaction, the merchant will be covered and insured by the credit card company," Damri says. "If an online merchant is processing that credit card transaction, the person who would be liable for any damage is the online merchant. They are the ones liable to 'card not present' transactions."
Credit Cards Will Get More Secure, But Only in Stores
The biggest change that we'll see in the future of credit card security, says Hammond, is a move toward the European format of chip-and-PIN. All U.S. Target stores will have chip-and-PIN readers by September, and Target will begin issuing chip-and-PIN Target REDcards by the first quarter of 2015, according to the retailer. (Like many European card readers, the new Target systems will read both chip-and-PIN and magnetic swipe cards).
Because Target is such a large retailer, this switch is already having an impact, even though their REDcards can be used only at Target stores and Target.com. According to the Discover Financial Services study, 86 percent of financial institutions plan to begin issuing chip-and-PIN cards in the next two years.
This won't be a failsafe solution, though. A side effect could be what we already see in Europe, where hackers focus more attention at online transactions. These aren't affected by chip-and-pin security, as no card is present.
Sign up for CIO Asia eNewsletters.