BOSTON Dec 22 The massive data breach disclosed
by retailer Target Corp last week is likely to teach its
U.S. customers a painful lesson in payment card security and
build support for an anti-fraud technology now sitting on the
For years, U.S. merchants and banks have balked at adopting
a well-established system that uses credit and debit cards that
store information on computer chips. The technology, ubiquitous
in Europe, Canada and elsewhere, makes it harder for thieves to
misuse data compared with cards that store data only on magnetic
The problem is the costs of the new chips and some 10
million payment terminals to process them.
The delay may prove costly to Target's U.S. customers. The
third-largest U.S. retailer said unknown hackers stole data from
up to 40 million credit and debit cards used at its stores in
the first three weeks of the holiday season.
Now, after years in which U.S. companies tolerated fraud as
a cost of doing business, high-profile breaches such as the one
at Target are raising demand for increased card security.
"There's no doubt in my mind it will happen over the next
two years. The fraud risk is too high," said Rush Taggart, chief
security officer of CardConnect of King of Prussia,
Pennsylvania, which helps merchants process payments. "I think
we all wish it had happened over the last four years."
An early switch to the global card system may not have
prevented the Target data theft but the chip technology would
have reduced the value of the stolen data by making it harder
for hackers to reuse the customer information. For one thing,
the new systems are better at detecting counterfeit cards.
Visa Inc has warned that merchants' banks may start
bearing the costs of fraud starting in October 2015 if the
merchants don't upgrade.
EUROPE MOVES AHEAD
In much of Europe, 94 percent of sales terminals use the
chip system, according to a 2012 report by consulting firm
Javelin Strategy & Research. The figure was 77 percent in Canada
and Latin America. That compares with only 10 percent of U.S.
sales terminals with upgrades.
The report said the figure would still reach only 60 percent
by Visa's October 2015 deadline. And the timetable could face
delays if merchants push back on changes that banks and
processors want but will not pay for.
Retailers over the summer won a ruling from a U.S. district
court judge in Washington that could help them reduce the fees
that banks can charge for debit card transactions.
Banks had counted on those fees to pay for extra network
upgrades, and the uncertainty could put off further investment,
said Al Pascual, a senior analyst at Javelin. "We should move to
it," Pascual said about the new standard. "But 'should' and
'would' are two different things," he said.
Some U.S. banks, including Citigroup Inc and Wells
Fargo & Co, have begun to issue chip-carrying cards that
meet the global standard - known as EMV, the initials of the
companies that created it in 1994: Europay International SA,
MasterCard and Visa. (MasterCard bought Europay in 2002.)
There are now nearly 1.6 billion EMV payment cards in use
Wells Fargo said recently its U.S. customers with the Visa
consumer credit cards it issues may request a new card with a
chip to use while traveling.
"Today, very few domestic merchant terminals support EMV
technology, so there is little need for a full-scale roll-out,"
a Wells Fargo spokesman said via e-mail.
JUST A COST OF BUSINESS
U.S. banks and merchants have tolerated the weak security in
part because they are able absorb the costs, said David
Robertson, publisher of the Nilson Report, a California trade
journal that tracks the payments industry.
In its August issue, Nilson said global card fraud rose to a
record $11.3 billion in 2012, from just under $10 billion the
year before. Nearly half the losses occurred in the United
States, helped by the lack of the more advanced card readers.
But on a volume basis the losses amounted to just 5.2 cents
for every $100 that consumers put on payment cards, up from 5.07
cents per $100 in 2011. Those figures are insignificant for most
of the players in the chain, Robertson said.
"It's a very manageable cost," Robertson said. Organized
shoplifting in comparison costs U.S. merchants around $30
billion per year, he said.
Consumers, who are generally not held responsible for
covering for fraudulent purchases, have had little incentive to
push for change. But the rising fraud rates also mean more
dangers of identity theft.
CHECKOUT SYSTEMS LIKELY COMPROMISED
Target said it was still reviewing how the attack was
carried out, but experts expect that systems at cash registers
were compromised. A Target spokeswoman did not respond to
questions for this article.
The incident appeared to be among the largest security
breaches in retail history, though it fell short of the one
announced by retailer TJX Cos in 2007, which was blamed
on poor security in the wireless computer networks at TJX
Since then, retailers have upgraded their systems under what
are meant to be the secure Payment Card Industry standards, or
PCI, meant to cover existing magnetic stripe cards.
But Gartner Research analyst Avivah Litan said many breaches
since then have occurred at companies that officially met the
standards. The problem is the magnetic stripe used to store data
on most U.S. cards is not secure enough to begin with, said
Litan, who favors upgrades to EMV.
"PCI isn't working because it is attempting to patch an
inherently insecure payment card system and network," she said.
"We can't expect retailers to patch their systems to work around
the weaknesses of this antiquated technology," she said.
Nilson's Robertson said the rise of mobile phones as payment
devices may complicate upgrade plans because they could crowd
out payment cards. If that happens soon, companies may have
wasted billions of dollars.
"It would be like investing in improving silent movies when
everyone else is moving to sound," Robertson said.