Every day merchants and processors hope criminal hackers don't target them, their systems, or their employees, knowing that if hope runs out they will pay for any breaches, even though no fundamental and permanent solutions are available for them to fight back. The credit card issuers don't care about the cost of compromised cards because they can simply fine everyone else with arbitrary judgments and without government oversight.
In the case of the Heartland breach, where intruders hacked into the systems used to process 100 million payment card transactions per month for 175,000 merchants and recorded credit card and CVV numbers from an internal data stream, Smart Card technology would have rendered the whole endeavor useless.
Smart Cards generate unique one-time only responses to financial transaction requests from the banks that issue the cards, so the data stolen would no longer be valid. The cards are also locked with a PIN code, so even the physical loss of cards is a non-event. The data transmitted should be encrypted, but it does not have to be because the data stream is only good for one transaction. Attempts to use the same data a second time simply does not work.
While the industry has embraced the PCI-DSS security standards in an effort to safeguard sensitive customer credit card information, unfortunately PCI-DSS does not deal with sophisticated attacks, nor does it provide any sort of safe-harbor for those that implement it.
To protect against sophisticated attacks, all organizations conducting credit card transactions must implement more complex security strategies and technologies such as network sensors, heuristic traffic analysis, and conduct constant security auditing of their systems, traffic and personnel. And even if all of these efforts are undertaken, there is still no safe harbor.
The solution to Heartland-type problems is simple. First, mandate Smart Card technology for all credit card transactions and bring the United States into conformance with all other countries with respect to stopping fraud at its source: static credit card numbers.
And second, transfer the liability back to the credit card issuers unless the merchant and processor are culpable in the breach due to malfeasance. Culpability should be decided by a court of law.. Let the government, not the credit card issuers, decide whether fining merchants and processors is the correct course of action. This will remove the perverse incentive system that allows credit card issuers to run insecure systems and transfer their liabilities to others.