ARI SHAPIRO, HOST:
This is WEEKEND EDITION from NPR News. I'm Ari Shapiro. The holiday season is approaching, a time for Santa and sales and fears of credit-card breaches. Cyber thieves have already stolen millions of card numbers this year. Kmart and Dairy Queen are among the latest victims. Charles Lane from member station WSHU explains that shoppers are heading into the heavy-spending season with no new safeguards in place.
CHARLES LANE, BYLINE: When you hear about a data breach, Bryan Sartin is one of the guys who goes in to investigate.
BRYAN SARTIN: I've seen my own personal information in those lots of stolen data many, many, many, many, many times.
LANE: Sartin heads a team of forensic computer techs for Verizon - good-guy hackers, basically. For a while, he and his desk-mate had a running joke.
SARTIN: How frequently in our cases we would find one of his credit cards. And I remember, back-to-back, it was like 2 out of 3 cases. And there was a third. We're like, it's not here, and he's kind of laughing. And then all of a sudden, we found his wife's.
LANE: Sartin says data breaches happen all the time. In fact, only about a third of them are ever made public, which surprised many shoppers here in midtown Manhattan, like Alexandra Goodell.
ALEXANDRA GOODELL: It's upsetting. It gets me angry. I work really hard, and I don't want to go out of my way to cancel my card and to nail down what happened.
LANE: One of the main reasons why U.S. credit card numbers are stolen so often has to do with how we process them after the swipe. Again, Bryan Sartin.
SARTIN: That transaction in a text format of some kind is sent to a server there at the store that all of the cash registers speak to.
LANE: Your credit card number then flies through the Internet to the merchant's main national computer, then to the processor, then to the bank and then back again.
SARTIN: It returns in .06 seconds with a yes or no.
LANE: And you walk out of the store while the transaction continues to ricochet across the country. And that's technology from the 1970s.
JASON OXMAN: What we need to do in the U.S. is completely replace an architecture that has been deployed over the course of the last 40 years. That's how long mag-stripe cards have been in the market.
LANE: Jason Oxman heads the Electronic Transactions Association. He says the magnetic stripe worked fine until the '90s. Then PCs came along that could counterfeit hundreds of credit cards. Because the U.S. had a really strong telecom network, retailers started verifying a card's authenticity online. In places where the internetwork wasn't so great, they adopted what are called chip cards or smart cards.
OXMAN: So that's one reason that we haven't used the chip cards. We haven't needed to because our online system of authorization has been a replacement for that off-line chip.
LANE: But by this time next year, you will likely be using the new chip cards. What slowed them down is the-chicken-or-the-egg conundrum. Banks didn't want to issue the chip cards if retailers didn't have the readers, and retailers weren't going to buy them if banks weren't issuing the cards.
OXMAN: There are more than 10,000 financial institutions that issue credit cards and debit cards in the U.S. There are 8 million merchants that accept credit and debit cards in the U.S.
LANE: But the new chip cards are only expected to cut about 60 percent of the fraud, which frustrates merchants. Mallory Duncan is general counsel at the National Retail Federation. He fears the credit card hacks will continue because at the core, the system's backbone is still the same - 16-digit account numbers flying across the Internet.
MALLORY DUNCAN: Unfortunately, all we're going to get in the near future is the not-quite-so-smart card. The problem is that this product itself is fundamentally flawed. You cannot secure a house of straw.
LANE: Duncan says retailers want something more. They're looking to what's called tokenization, where instead of your account number flying through the Internet, there's a one- time only randomly generated token of your account number. This is what Google Wallet and Apple Pay use.
DUNCAN: All of those, potentially, are much more secure for consumers than would be partially secure chip cards.
LANE: Tokenization is out there now, but not yet for credit cards. Because they require significant system upgrades for both retailers and the banks, it's that same chicken-and-the-egg problem - who spends the money first? For NPR News, I'm Charles Lane.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.