Target Breach Prompts Call for US to Speed Up EMV Migration


The massive retail breach that occurred over the holidays has prompted some retailers – including the National Retail Federation and the chief executive (CEO) of Target, the main victim in the breach – to call for the US to speed up its migration to Europay, MasterCard and Visa (EMV) chip cards.

Speeding Up EMV Migration

In an interview with CNBC, Target CEO Gregg Steinhafel took the opportunity to advocate for speeding up EMV migration in the US. “We think it’s important that we get there as a nation, and we want not only to participate in that conversation, but we want to lead in that conversation too,” he said.

The National Retail Federation has also now begun publicly backing faster implementation of chip cards. Mallory Duncan, senior vice president and general counsel for the NRF, said that the trade group is encouraging its members to upgrade their systems. “The technology that exists in cards out there is 20th-century technology, and we’ve got 21st-century hackers,” he said in an interview with Reuters.

EMV cards are considered more secure than mag-stripe cards because the unique chips in the cards are almost impossible to clone.

The major credit card companies—Visa, MasterCard, American Express and Discover—have set a target date of October 2015 to stop using mag-stripe cards and switch to chip cards. Replacing all the cards at once, instead of a gradual phase-in over 2014 and 2015, would be extremely costly. Absorbing the losses on any card fraud that occurs at the point-of-sale was previously thought to be less expensive than making an immediate switch to EMV—but this retail breach could be a game changer.

Toronto-based fraud expert Chris Mathers, who spoke at last summer’s AFP of Canada Treasury Management Forum, told gtnews that “clearly” the US needs to move to EMV.

Mathers noted that in Canada, once it was determined that the cost of switching to EMV would cost less than the overall fiscal and reputational costs of breaches, EMV migration was a no-brainer. “It’s just an accounting decision,” he said.

There are drawbacks to EMV migration, of course. Mathers noted that once the US makes the switch, customer-not-present fraud will increase. “What you’re doing is you’re forcing the bad guys to do other things,” he said. “They have to up their game a bit more and see if they can copy chips or copy PIN numbers. So maybe they’ll migrate to some other type of fraud.”

As of yet, there are no known cases of criminals successfully copying chips. But Mathers sees this as a “war of escalation.” He noted that card issuers believed that security holograms on credit cards could not be copied when they first introduced them. “It was pretty soon after that the bad guys were able to copy holograms,” he said. “If there’s a technology that exists to create an encrypted chip, ultimately, someday, the bad guys will be able to crack it. But in the meantime, it’s the best thing we have.”

A payments analyst who asked to remain anonymous told gtnews that she believes the Target breach will lead inevitably to more discussion about whether the US needs to accelerate its deployment of EMV cards. “But whether it actually stimulates faster adoption/deployment as compared to the current card brand road maps, only time will tell,” she said.

However, she pointed out that EMV is a broad term that can mean different things.  “Most countries that have deployed EMV have deployed almost entirely EMV, plus PIN,” she said. “In this country, Visa’s roadmap calls for PIN and signature.  Security considerations would strongly favour the former and not the latter, although I recognise some segments like QSR have a hard time with PIN.  There are also many specific and different choices related to security within the EMV specification.  So deployment of EMV should specify a best practice approach to using these security components.”

Lastly, the payments analyst added that the Target breach is a clear indicator that PCI standards are not an efficient data breach prevention strategy, despite costing retailers a substantial amount of money. She believes the standards are in need of a much greater overhaul than the one announced in November 2013. “At least that’s what I’m hearing from retailers,” she said. “The standards don’t seem to be effective particularly given the costs.”

Costs of a Breach

Typically, credit card issuers bear the brunt of the costs for breaches, Mathers noted. But with the Target breach resulting in multiple lawsuits, Mathers sees the card issuers likely taking a step back and blaming the retailer for not have the proper IT security in place to protect customer information. “The credit card company could say, ‘Hey, that’s not us. You need to be eating that,’” he said. “What you have to worry about hear is a class action. For sure, some class lawyers are going to try and collect as many people as they can and hammer somebody with deep pockets. That’s who they’re going to be looking to hit.”

 But the greatest cost to retailers, Mathers said, is the reputational cost. “How do you quantify that? Is it causing people to not shop there? Who knows? At the end of the day, somebody has to pay the cost of this. Maybe that’s going to be sorted out in court; consumers sue Target, Target sues their provider or their IT security. But for sure, somebody is going to pay,” he said.


Related reading