In 2005, it happened at TJX Cos. In 2008, it happened at Hannaford. Earlier this month, it happened at Target.

Customers’ credit and debit card numbers (and more, in Target’s case) were stolen by computer hackers, who use the information to make fake cards, resell the data on the black market or run up fraudulent charges. The Target data theft could wind up being one of the largest in history, affecting about 40 million people, likely including thousands who visited the retailer’s stores in Maine.

In the wake of massive breaches such as these, security experts urge consumers to notify their banks, monitor their statements and watch for unauthorized transactions. They’re good suggestions, but they miss the bigger picture: Weak security makes it far easier to commit credit card fraud in the United States than it should be.

Retailers, banks and credit card companies could do more to protect consumers, but none of them wants to foot the bill. Though a solution is supposed to be in place in about two years, it could take the U.S. far longer to adopt best practices.

Turn over your credit or debit card, and you’ll see a magnetic stripe that stores account information, such as the cardholder’s name, account number and the card’s expiration date. This 1960s-1970s technology makes U.S. cards easy to copy. In most other countries, digital chips on the cards hold the account information. Because the chip is tough to replicate, criminals generally don’t bother.

Why hasn’t this changed? Implementing the chip system calls for banks, retailers and credit card issuers to replace 1 billion magnetic-stripe debit and credit cards and put in place new processing systems. Because only about 5 cents is lost to fraud for every $100 in credit and debit card transactions, the chip shift isn’t seen as worth the cost.

By October 2015, the picture could brighten, say optimists: That’s the deadline set by major credit card companies for U.S. retailers to embrace smart cards. After that date, stores that process fraudulent sales from magnetic-stripe cards could get stuck with the losses.

But others say 2018 is a more realistic time frame in which to expect change, especially considering that it costs about four times to make a smart card as it does to make a magnetic-stripe one. “Ten years from now, we’re still serving up magnetic-stripe cards,” David Robertson, publisher of a newsletter that follows the industry, recently told Businessweek.

For the foreseeable future, expect the burden of protecting consumer safety to remain with the consumer. That’s what happens when nobody has an incentive to make credit cards more secure.