The massive data breach at Citigroup has alarmed customers, angered lawmakers, and sparked debate on whether big banks are spending enough money on protecting their customers' information, the New York Times finds. Credit card companies have devoted their resources to preventing fraud from occurring when data is stolen and not invested enough in preventing data breaches from occurring in the first place, analysts say. While banks have gotten better at curtailing fraud—today, it costs banks 5 cents of every $100 changed, down from 15 cents in 1992—some say banks have little reason to try to shrink that even more.
That's because fraud can actually be a source of income, thanks to charge-back fees for fraudulent purchases, and the fact that it's the retailer who often assumes the cost of improperly bought items. And so the embedded-chip system used in much of Europe and Asia has not been adopted by US firms, who argue that retailers don't want to invest heavily in upgrading their card readers. Technology to encrypt data as it flows across the payment system has also been shunned by most firms. "Unfortunately, some companies look at breaches as the cost of doing business,” says the chief information of Heartland Payment Systems, which overhauled its systems after a massive breach in 2008. “That’s not the right way to look at it. You need to be as secure as you possibly can be."