Target payment card data theft highlights lagging U.S. security

People shop at a Target store during Black Friday sales in the Brooklyn borough of New York. Credit: Reuters
People shop at a Target store during Black Friday sales in the Brooklyn borough of New York.
Credit: Reuters

The massive data breach disclosed by retailer Target Corp last week is likely to teach its U.S. customers a painful lesson in payment card security and build support for an anti-fraud technology now sitting on the shelf.

For years, U.S. merchants and banks have balked at adopting a well-established system that uses credit and debit cards that store information on computer chips. The technology, ubiquitous in Europe, Canada and elsewhere, makes it harder for thieves to misuse data compared with cards that store data only on magnetic stripes.

The problem is the costs of the new chips and some 10 million payment terminals to process them.

The delay may prove costly to Target’s U.S. customers. The third-largest U.S. retailer said unknown hackers stole data from up to 40 million credit and debit cards used at its stores in the first three weeks of the holiday season.

Now, after years in which U.S. companies tolerated fraud as a cost of doing business, high-profile breaches such as the one at Target are raising demand for increased card security.

“There’s no doubt in my mind it will happen over the next two years. The fraud risk is too high,” said Rush Taggart, chief security officer of CardConnect of King of Prussia, Pennsylvania, which helps merchants process payments. “I think we all wish it had happened over the last four years.”

An early switch to the global card system may not have prevented the Target data theft but the chip technology would have reduced the value of the stolen data by making it harder for hackers to reuse the customer information. For one thing, the new systems are better at detecting counterfeit cards.

Visa Inc. has warned that merchants’ banks may start bearing the costs of fraud starting in October 2015 if the merchants don’t upgrade.

EUROPE MOVES AHEAD

In much of Europe, 94 percent of sales terminals use the chip system, according to a 2012 report by consulting firm Javelin Strategy & Research. The figure was 77 percent in Canada and Latin America. That compares with only 10 percent of U.S. sales terminals with upgrades.

The report said the figure would still reach only 60 percent by Visa’s October 2015 deadline. And the timetable could face delays if merchants push back on changes that banks and processors want but will not pay for.

Retailers over the summer won a ruling from a U.S. district court judge in Washington that could help them reduce the fees that banks can charge for debit card transactions.

Banks had counted on those fees to pay for extra network upgrades, and the uncertainty could put off further investment, said Al Pascual, a senior analyst at Javelin. “We should move to it,” Pascual said about the new standard. “But ‘should’ and ‘would’ are two different things,” he said.

Some U.S. banks, including Citigroup Inc and Wells Fargo & Co, have begun to issue chip-carrying cards that meet the global standard – known as EMV, the initials of the companies that created it in 1994: Europay International SA, MasterCard and Visa. (MasterCard bought Europay in 2002.)

There are now nearly 1.6 billion EMV payment cards in use worldwide.

Wells Fargo said recently its U.S. customers with the Visa consumer credit cards it issues may request a new card with a chip to use while traveling.

“Today, very few domestic merchant terminals support EMV technology, so there is little need for a full-scale roll-out,” a Wells Fargo spokesman said via e-mail.

JUST A COST OF BUSINESS

U.S. banks and merchants have tolerated the weak security in part because they are able absorb the costs, said David Robertson, publisher of the Nilson Report, a California trade journal that tracks the payments industry.

In its August issue, Nilson said global card fraud rose to a record $11.3 billion in 2012, from just under $10 billion the year before. Nearly half the losses occurred in the United States, helped by the lack of the more advanced card readers.

But on a volume basis the losses amounted to just 5.2 cents for every $100 that consumers put on payment cards, up from 5.07 cents per $100 in 2011. Those figures are insignificant for most of the players in the chain, Robertson said.

“It’s a very manageable cost,” Robertson said. Organized shoplifting in comparison costs U.S. merchants around $30 billion per year, he said.

Consumers, who are generally not held responsible for covering for fraudulent purchases, have had little incentive to push for change. But the rising fraud rates also mean more dangers of identity theft.

CHECKOUT SYSTEMS LIKELY COMPROMISED

Target said it was still reviewing how the attack was carried out, but experts expect that systems at cash registers were compromised. A Target spokeswoman did not respond to questions for this article.

The incident appeared to be among the largest security breaches in retail history, though it fell short of the one announced by retailer TJX Cos in 2007, which was blamed on poor security in the wireless computer networks at TJX stores.

Since then, retailers have upgraded their systems under what are meant to be the secure Payment Card Industry standards, or PCI, meant to cover existing magnetic stripe cards.

But Gartner Research analyst Avivah Litan said many breaches since then have occurred at companies that officially met the standards. The problem is the magnetic stripe used to store data on most U.S. cards is not secure enough to begin with, said Litan, who favors upgrades to EMV.

“PCI isn’t working because it is attempting to patch an inherently insecure payment card system and network,” she said. “We can’t expect retailers to patch their systems to work around the weaknesses of this antiquated technology,” she said.

Nilson’s Robertson said the rise of mobile phones as payment devices may complicate upgrade plans because they could crowd out payment cards. If that happens soon, companies may have wasted billions of dollars.

“It would be like investing in improving silent movies when everyone else is moving to sound,” Robertson said.

 



News
Entertainment
Sports
Lifestyle
Local

MAP: New York City Street Closures August 22,…

The Percy Sutton Harlem 5K and NYC Family Health Walk-a-thon and Pakistan Day Parade and Fair will cause traffic delays and street closures in New York City this weekend. Plan…

International

U.N. nuclear inquiry on Iran seen making slow…

The U.N. nuclear watchdog appears to have made only limited progress so far in getting Iran to answer questions about its suspected atomic bomb research, diplomatic sources said on Friday,…

National

Violence-weary Missouri town sees second night of calm

By Nick Carey and Carey GillamFERGUSON Mo. (Reuters) - The violence-weary town of Ferguson, Missouri, saw a second straight evening of relative calm on Thursday…

National

Journalist James Foley's parents, after call with pope,…

The parents of James Foley, the American journalist killed by Islamic State militants in Iraq, on Friday called for prayer and support to free the remaining captives held by Islamic…

Television

Recap: 'The Knick,' Season 1, Episode 3, 'The…

The third episode of Steven Soderbergh's "The Knick" finds Dr. Thackery (Clive Owen) meeting an old flame and other characters embracing self-destruction.

Music

Webcast: Watch Polyphonic Spree live on Sunday Aug.…

Polyphonic Spree singer Tim DeLaughter sits with Metro Music Editor Pat Healy for a chat and then the big band performs live. It begins on Sunday at 9:30 pm

Movies

Matthew Weiner on directing 'Are You Here' and…

"Mad Men" creator Matthew Weiner discusses his movie "Are You Here," his history writing comedy and the tiny movie he directed in 1996 you can't see.

Movies

Michael Chiklis on his football past and 'When…

Michael Chiklis remembers playing football in high school and how that prepped him to play a coach in "When the Game Stands Tall."

NFL

3 things we learned about the Giants in…

The Giants claimed the Snoopy trophy in a battle of MetLife Stadium tenants Friday night. But more importantly, the offense finally showed some life in…

NFL

3 things we learned about the Jets in…

The Jets lost the Snoopy Bowl, 35-24, to the Giants, losing the trophy and local bragging rights.

NFL

Fantasy football draft guide: How to draft your…

Many are wondering if we’re entering a new age in fantasy football drafting — one where running backs take a backseat.

NFL

Jets vs. Giants: 3 Giants storylines to watch

The Giants have plenty to work on as they reach the dress rehearsal preseason game Friday night against the rival Jets.

Wellbeing

Asics is giving away free gear around NYC…

Asics wants to see you on the court - and in the stands for the U.S. Open, which begins Monday - by giving away free…

Sex

Big weddings may lead to long-term happiness

Dreaming of a big wedding? A new study indicates that the longer your guest list, the happier you’ll be in the long run. l A…

Sex

Online dating for every generation

Frank Jackson and his mother Maggie are like lots of modern families: They have dinner together regularly, keep each other updated on their lives —…

Wellbeing

Going green could be the key to getting…

If we could just pursue the things that would actually make us happy, we could help the environment too, according to a New York researcher.…