There's probably never a good time to have your customers' credit card data hacked, but the height of the holiday shopping season is no doubt the worst. Of course, that's exactly what happened to Target at the end of last year when the retail giant announced that credit card data of 40 million of its customers had been compromised. Adding insult to injury, two weeks ago the company announced that the personal data of 70 million of its customers had been compromised as part of the same security breach.
Target is now in the unfortunate position of being the corporate poster child for poor data security, but it’s quickly finding plenty of company from other major chains, including Neiman Marcus, which said last week that 1.1 million customers had been affected by a three-month data breach. Michaels Stores may be the latest to join the list, but it’s apparently not going to be the last.
Target's fourth quarter earnings call is scheduled for Feb. 26, but leadership has already made it clear that profits will be lower than originally forecast due to a post-theft drop in sales. In its most recent statement, Target wouldn't speculate on what the fiasco might end up costing it, but given its guarantee that customers will have "zero liability for the cost of any fraudulent charges arising from the breach," the amount is likely to be significant.
Many are pointing the finger of blame for the data theft on retailers, for cheaping-out and not adopting new smart card technology for its in-store credit card system. Known as "chip and PIN" cards, smart credit cards use a microchip embedded in the card rather than a magnetic strip to store and verify cardholder information, along with a personal identification number that users enter at point of purchase.
The chip encrypts the data for each and every transaction, making the data far more secure than that of magnetic strips, where the customer's information is unchanging with each transaction. Magnetic strip card technology has been around since the 1970s, but smart card technology is ready and able to be deployed. And as numerous reports have pointed out since the Target breach, chip-and-PIN cards are the standard in Europe and Africa.
Money Changes Everything
So why aren't chip-and-PIN cards the standard here, in arguably the world's most technologically obsessed country? The answer is cost, on both the retail and banking sides of the equation. Chip and PIN cards can only be used at special card readers – readers big retailers have to spend big money to install. Ironically, Target was at the leading edge of a smart-card transition more than a decade ago, having actually installed 37,000 chip-and-PIN card readers at its stores across the country in the early 2000s.
At the time, Target was a credit card issuer and, in its own words, wanted to be a smart card leader in the U.S. The $40 million effort ended when Target determined that, among other issues with the system, the cards took longer to use at point of purchase. With stores complaining that the new cards were slowing down sales, the stores won.
On the financial services side, costs for switching to chip-and-PIN are also significant. Credit cards are typically issued by banks, and smart cards cost about $1.30 apiece versus about $0.10 apiece for cards using magnetic strips, or a whopping 13 times more. With transition costs like these, it's clear why neither side has been much in the mood to budge for the last decade.
The industry could finally be at a tipping point, one where the costs of inaction are finally outweighing the costs of action. The National Retail Federation last week sent a letter to House Speaker John Boehner (R-OH) and Senate Majority Leader Harry Reid (D-NV) in support of a switch to PIN and chip cards. “For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN and Chip card technology for customers in Europe and dozens of other markets,” NRF CEO Matthew Shay wrote in the letter, adding that retailers cannot make the transition alone.
Costs aside, would chip-and-PIN cards have stopped the Target data theft? No and yes. No because the original data breach seems to have come in the form of a cyber attack, which smart cards won't stop. Yes in the sense that stolen credit-card data can far more easily be turned into fraudulent magnetic strip credit cards than smart cards. Details are still emerging, but it looks like highly skilled hackers broke into Target's back-end data systems and injected a virus that captured information from point-of-purchase terminals. And now at least one report has compromised credit data turning up on fraudulently made magnetic-strip cards.
There's plenty of blame to go around for the breaches, with leadership failures on all fronts. Until all this is sorted out, Target may at least want to consider changing it's logo from a bulls-eye to something less provocative to would be cyberthieves.
Top Reads from The Fiscal Times: