The Target breach is just the beginning, experts told CreditUnion Times. Thieves will continue to find ways to accessvaluable financial and personal data.

Here are three reasons why:

1. Because they can.

By far, the main reason thieves have begun to steal card datafrom U.S. firms, some experts say, is because they can.

“The U.S. payments industry has become the one household in theneighborhood that has not upgraded its security system whileeveryone else has,” explained Karisse Hendrick, program manager inpayments and fraud for the Merchant Risk Council, an internationaltrade group that is organized to help firms fight card fraud. “Whenyou are perceived to have security that is the easiest to beat, sheadded, thieves will try to beat your security.”

Breaches have their roots in the three large shifts in theglobal payments, technology and U.S. economic and politicalenvironments. Hendrick pointed out that the payments industry inthe U.S. is perceived as among the richest, further heightening itsdesirability as a target.

“Those two things combine to make U.S. firms the biggest targetsfor data security breaches and subsequent fraud,” Hendricksaid.

Further, the U.S. has not become the leading data theft targetovernight in the country, Hendrick noted. International criminalinterest in the U.S. has been growing for years, as Verizondocumented in its 2013 Data Breach Investigations Report.

As other countries have gradually tightened their securitysystems and implemented tools such as smart-chip cards withthe EMVstandard, the U.S. fraud prevention protocols have fallenfarther behind, the Verizon report said. It's not that the PaymentCard Industry Data Standards have not done a good job, thetechnology they were protecting is simply not as secure as otherpayment's technology, Hendrick explained.

Read more: Thieves have upgraded their programmingskills …

2. Thieves have upgraded theirprogramming skills.

The second reason data breaches are here to stay is becausethieves have gotten better at writing programs to steal the carddata, industry watchers have found.

For instance, even though the phenomenon of a malware packagethat infected POS terminals came to widespread attention with theTarget breach, the FBIhas reported there were at least 20 breaches that used asimilar approach. Further, the agency said it appeared thieves hadused at least one malware package to test out firm's defenses. Whenthat package they were developing had not performed well enough,the thieves created another one that worked better from their pointof view.

3. Card issuers and retailers lackunification.

The third reason that breaches are likely to continue is thelack of a coordinated or unified approach to the challenge theyrepresent. Previously, the U.S. payments industry was cohesivebecause card issuers and retailers agreed they better whenconsumers used a card to pay for goods and services as opposed tocash.

Retailers benefited from not having the risk of theft that camewith cash and from the quick and guaranteed payments that cardsrepresented over checks. Card issuers also gained from theinterchange that card transactions generated by not having to payfor check processing. But the unified front has largely broken downin the face of retailers' legal and legislative challengesto interchange and the resulting controversy has undermined thepayments industry's ability to work together to confront theproblem.

Executives with the NationalRetail Federation, one of the organizations that supported theDurbin Amendment's cap on debit interchange for issuers with morethan $10 billion in assets and sued the Federal Reserve to lowerthem, complained that the current approach to card data securitydoes not work and is costly to retailers.

DougKantor, a partner with the Washington-based law firm of Steptoeand Johnson, helped represent the NAR in its legal fight with theFederal Reserve and laid out some of the trade group's complaintsabout the current card data security regime in an interview withCredit Union Times.

Kantor said retailers already pay nearly all the costs of carddata security on the acquirer side by making sure their systemscomply with industry security standards. However, those retailerscurrently have no say in setting those standards.

“The data security standards come entirely from the card brandsand card issuers without any input from retailers,” Kantor said.“Also, the data security standards don't provide full proofprotection from breaches and, if there is a breach, the retailersface enormous expenses in fines from the card brands and possiblelegal action.”

He said retailers believe the new chip cards onthe EMV standardprovide a very promising means of combating the threat butretailers want to play an active part in the new technology.

To illustrate, the card brands are currently adopting a standardfor EMV cards that will not always require a PIN. These cards willhave a magnetic stripe that will allow them to be swiped and a chipto provide data in real time which authenticates the transactionand the card.

Retailers believe this leaves them open to greater fraud riskand want the U.S. to mandate the use of PINs, Kantor said. Visa andthe other card brands argue that in an economic environment likethe U.S., where almost all transaction are going to be online andthus verifiable in real time, the PINs are not needed.

Read more: What can credit unionsdo?

Assuming the two different parts of thepayments industry remain divided and criminals continue to developnovel attacks on payment systems, how can such efforts be counteredand fraud losses limited?

First, some experts agree it is never too late to re-emphasizebasic computer security and procedures. At press time, retailerTarget acknowledged that the malware that infected its POSterminals was introduced by someone who stole the credentials ofone of its vendors in order to gain access.

“This recent announcement from Target confirms that the biggestbreaches are due to insider threats, especially with privilegedusers and administrative access,” said Eric Chiu, president &co-founder of HyTrust, a Mountain View, Calif.-based data securityfirm that focuses on the cloud. “The bad guys are now usingadvanced threats to steal credentials and pose as employees, andonce on the network, they look the same as good guys.”

Chiu said access controls, role-based monitoring and datasecurity are critical to securing against these new insiderthreats, especially in cloud environments that concentrate systemsand data.

Second, credit unions should start to live with the assumptionthat their members' cards will likely be breached at some point andplan for those breaches.

Carlton Howard, vice president of risk management at the $2.2billion Coastal Federal Credit Union in Raleigh, N.C.,said dailychecks, security blogs and data tracking sites are used toget an advance warning of any breaches so that there is enough timeto craft a strategy.

Coastal also has a pre-purchased number of plastics on hand atits fulfillment partner so that should a breach occur, the creditunion can quickly reissue cards, Howard said.

The $1.9 billion Summit Credit Union in Madison, Wis., makessure its fulfillment partner keeps its plastics on hand and hasadded card security breaches to its crisis management plans, saidBecky Gerothanas, senior vice president for operations.

“The goal is make sure that we think out what to do and who isresponsible for what if we have one of these things happen on alarge scale,” Gerothanas said, adding, “so we aren't trying tofigure it out as it happens.”

Both Carlton and Gerothanas also stressed the importance ofcommunicating fully and often with members to alert them about thebreach and to ask their assistance in helping the credit unionprotect their cards against fraud losses.