STEVE INSKEEP, HOST:
It's growing harder to get your brain around how enormous last year's thefts of credit card data really were.
RENEE MONTAGNE, HOST:
We learned in December information was swiped from millions of customers at Target.
INSKEEP: Now we know that breach was so big, it put the personal data of up to 1 in 3 Americans at risk for fraud.
MONTAGNE: Nor were the crimes limited to Target. Cyber thefts affected consumers at Neiman Marcus and other chains.
INSKEEP: NPR's Elise Hu reports on what lawmakers want to do now.
ELISE HU, BYLINE: The bad guys who stole data from as many as 110 million Target customers were so sophisticated that even the most modern security programs couldn't detect them. So Joshua Sands, who's still a loyal Target shopper, says he watching his transactions closely.
JOSHUA SANDS: It's like being on the Internet, you know, when they tell you, you should have an anti-virus on your computer. You always assume somebody's trying to get in.
HU: Cybersecurity companies say that's about right. Data theft at the terminals where you swipe your credit cards is getting unstoppable.
(SOUNDBITE OF SENATE PANEL HEARING) CHATTER)
FRAN ROSCH: This is kind of an ongoing war, and the types of threats are changing all the time.
HU: Fran Rosch represents the security software company Symantec. He appeared before a Senate panel on Tuesday.
ROSCH: Information's everywhere. It's in our data centers. It's in the Cloud. It's in, you know, software that sits in the Cloud, on mobile devices. So the threats are exploding, but so are the attack surface.
HU: As threats change with the speed of technology, lawmakers still move at the speed they always have. But as Minnesota Sen. Amy Klobuchar said, there's now more willingness to do something.
SEN. AMY KLOBUCHAR: If anything, we've learned from this major, major breach that we can no longer do nothing; that we have to take action.
HU: One action could be requiring more secure cards. American credit cards have already failed to keep up with European and Asian card technology, which feature encrypted chips. Chips prevent cyber thieves from reusing any stolen data after they steal it.
Again, Sen. Klobuchar.
KLOBUCHAR: Maybe there will be some other new, great thing that comes along. But what's stopping our country when they're doing this in Europe?
HU: U.S. cards haven't adapted sooner because it would cost retailers and banks hundreds of millions of dollars to change cards and card readers. But the recent breaches were so big that both banks and retailers are backing a changeover to chip technology together.
JOHN MULLIGAN: All of us need to move together simultaneously. It's a shared responsibility.
HU: Target's chief financial officer, John Mulligan.
MULLIGAN: The financial industry - obviously - they're, in general, the issuers of the cards. And so, again, in partnership with them, we need to move together collectively so that the whole system is employing chip and PIN technology.
HU: Visa and MasterCard are aiming to have chips in the majority of U.S. cards by fall of next year. But it could be longer before retail outlets change their card readers. So lawmakers are considering what they can do to speed up the change. Other options on the table deal with data theft disclosure and security standards.
Minnesota Sen. Al Franken.
SEN. AL FRANKEN: Right now, there's no federal law setting out clear security standards that merchants and data brokers need to meet. And there's no federal law requiring companies to tell their customers when their data has been stolen.
HU: Franken is co-sponsoring a bill to create those requirements, and both retailers and security companies signaled support. But the fast-changing tech terrain makes some lawmakers wary of any attempt at national standards.
Utah Sen. Mike Lee.
SEN. MIKE LEE: I'm always a little bit concerned about creating a new federal regulatory authority, in part because sometimes, once you establish something like that, it quickly becomes ineffective - especially if it's in an area like this one.
HU: The Target shopper, Joshua Sands, says he'll be watching his own data closely.
SANDS: You have to be vigilant for yourself, you know. You can't leave it up to someone else to, you know, handle your security.
HU: Until more systemic changes are put in place, the attacks on our payment systems are expected to continue.
Elise Hu, NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.