Target’s precipitous fourth-quarter net income drop following a massive credit card data breach and Nieman Marcus’s inability to track similar breaches serve as reminders of the crucial role data privacy must play in any company’s retail strategy in today’s economy. But the call for U.S. businesses to implement European-style smart-chip credit cards, also known as EMV (Europay, MasterCard and Visa) cards, may not be the answer in as many ways as some have hoped.
So far, Target’s breach has cost the retailer $17 million in net expenses in the fourth quarter (partially offset by $44 million received from insurance), with analysts expecting a total of $400 million to $450 million in total losses. Early in February, Target CEO Gregg Steinhafel announced an accelerated plan to replace the chain’s magnetic strip payment cards with new chip technology. Yesterday, Target CIO Beth M. Jacob resigned.
Craig Hoffman, a partner at the national law firm BakerHostetler and an authority in the areas of data protection and security incident response preparedness, says retailers will be compelled to switch to chip-and-PIN-number cards by October 2015, when an edict from the credit card companies, MasterCard and Visa, that shifts liability from the banks that issue credit cards to retailers kicks in. (Two exceptions are gas stations and ATMs, which have until October 2017 to comply.)
But while chip-embedded cards may deter the kind of in-store hacking that makes for bad headlines, Hoffman says card-not-present transactions are likely to rise with implementation of the new cards. “The bad guys will start doing more transactions online,” he says.
Another, potentially larger, problem for U.S. retailers is that none of today’s point-of-sale devices use the EMV card technology, requiring large chains to invest in entirely new hardware to accommodate the new, more secure credit cards. “There’s tremendous cost to upgrade to EMV-enabled terminals,” says Hoffman.
In some ways, the timing couldn’t be worse. The promise of emerging payment forms, such as the Square digital wallet application and wireless payment systems, has not been fully realized yet, making it difficult for companies to decide which new terminals to install. Hoffman anticipates that retailers will need to accept a “broader range of transactions” in a few years, meaning that those that upgrade equipment to comply with the liability shift in 2015 may have to upgrade again shortly after.
EMV technology has existed since the early 1990s and has been in use worldwide, except for in the U.S., for at least a decade. Unlike magnetic-strip credit cards, which transfer personal data via an easily hackable magnetic strip, chip cards include a microprocessor that stores and transmits encrypted data, making it much more difficult to counterfeit. Face-to-face transactions usually require entering a personal identification number or a unique sign-off, unlike with magnetic-strip cards.
Until a few years ago, American merchants never felt compelled to make the switch, deciding that fraud losses were manageable and more affordable than an extensive changeover to new technology. Incidents such as the Target and Nieman-Marcus breaches rapidly shifted that thinking.
Fears from merchants over varying requirements for authorization – EMV cards can be programmed to accept PINs, one signature or two signatures – highlight another deep-seated concern. Any increased friction in a transaction may create more problems than it solves. Encryption is an end-to-end process that requires the personal data to be encrypted at every stage of the transaction. Tokenization, where a unique digital token is created for onetime use, would eliminate the need for such costly systems but hasn’t yet been perfected.
Furthermore, “data value can go the other way with data encryption or tokens,” says Hoffman, adding that merchants “can lose information” vital to their operations.
While the path to more secure credit card transactions is far from clear in the current environment, companies can become more deliberate in their privacy processes and security assessments.
Hoffman recommends that companies hire a qualified security assessor (QSA) to check their transactional environment once a year and recommend improvements. That way they can better judge different card networks and the strengths of chip-and-PIN technology versus other options.
“If not for the Target incident, the EMV discussion wouldn’t have happened,” says Hoffman. But as the retail giant’s current predicament demonstrates, it’s never too soon to start.
For its part, Target has turned up the volume on its public advocacy for smarter payment cards at the point of sale.
“The data breach that struck our company spotlighted the sophistication of criminal hacker networks operating across the globe,” wrote John Mulligan, Target’s CFO in an opinion article posted February 3. “One step American businesses could now take that would dramatically improve the security of all credit and debit cards: adoption of chip-enabled smartcard.”
Alec Foege, a contributing editor at Data Informed, is a writer and independent research professional based in Connecticut, and author of the book The Tinkerers: The Amateurs, DIYers, and Inventors Who Make America Great. He can be reached at email@example.com.