The sheer size and frequency of the recent credit card data breaches at Target, Neiman Marcus and other companies are prompting lawmakers to consider legislative options to keep sophisticated cyberthefts from happening.
"If anything, we've learned from this major, major breach that we can no longer do nothing," said Sen. Amy Klobuchar, D-Minn. "We have to take action."
The bad guys who stole data from as many as 110 million Target customers are so good at what they do that even the most modern security programs couldn't detect them. If security software can't keep up, hopes for regulation to stop fraud are slim.
"This is kind of an ongoing war, and the types of threats are changing all the time," said Fran Rosch, a vice president at the security software company Symantec. He appeared Tuesday before the Senate Judiciary panel, which explored legislative options in data security.
"Information's everywhere," Rosch said. "It's in our data centers, it's in the cloud. It's in software that sits in the cloud and on our mobile devices. So the threats are exploding, but so are the attack surfaces."
Lawmakers are considering a few policy changes to better protect consumers, such as pushing for more secure credit and debit cards. American credit cards have already failed to keep up with European and Asian card technology, which feature encrypted chips. The chips prevent cyberthieves from reusing any data after they steal it.
"What's stopping our country when they're doing this in Europe?" Klobuchar asked.
Part of the problem is the complexity of the American financial system, which has so many competing card issuers, banks, retailers and business owners. Adopting systemic change to the way purchases are made would cost retailers and banks hundreds of millions of dollars.
But the recent breaches were so costly that both banks and retailers are backing a changeover to chip technology together.
"All of us have to move together simultaneously; it's a shared responsibility," said Target Chief Financial Officer John Mulligan. "The financial industry, obviously they're, in general, the issuers of the cards. So again, in partnership with them, we need to move together collectively so the whole system is employing chip and PIN technology."
Visa and Mastercard are aiming to have chips in the majority of U.S. cards by October 2015, but it could be even longer before retail outlets change their card readers. Lawmakers are asking what they could do to speed up the change.
Another plan would be to tighten data theft disclosure and security standards, an option pushed by Sen. Al Franken, D-Minn.
"Right now there's no federal law setting out clear security standards that merchants and data brokers need to meet, and there's no federal law requiring companies to tell their customers when their data has been stolen," Franken said.
Franken and Sen. Patrick Leahy, D-Vt., are co-sponsoring the Personal Data Privacy and Security Act, which includes those disclosure and security standards. Both retailers and security companies who appeared before senators Tuesday signaled support.
But the fast-changing tech terrain makes some lawmakers wary of any attempt at national standards.
"I'm always a little bit concerned about creating a new federal regulatory authority," said Sen. Mike Lee, R-Utah, "in part because sometimes when you establish something like that it can quickly become ineffective, especially if it's in an area like this one."
Outside a Washington, D.C., Target store Tuesday, Joshua Sands said he's still a loyal Target shopper but he's taking personal responsibility for his security.
"It's like being on the Internet, when they tell you you should always have an anti-virus on your computer," he said. "You always assume somebody's trying to get in. You have to be vigilant for yourself. You can't leave it up to someone else to handle your security."
Until more systemic changes are put in place, security experts say the attacks on our payment systems are expected to continue.