Tuesday, May 13, 2014
The fallout continues from the 2013 holiday-season data breach at Target Corp. The big-box retailer's chief executive resigned; a new security officer was appointed; and Target accelerated its transition to the Europay/MasterCard/Visa (EMV) chip card standard. But the one relative bright spot from the breach, in which an estimated 100 million card accountholder details were compromised, is that the sluggish transition of the U.S. payments infrastructure from a mag stripe-based to an EMV-based system seems to have picked up steam.
In late April 2014, Target appointed Bob DeRodes to helm the brand's EMV transition. As Executive Vice President and Chief Information Officer at Target, DeRodes' job includes overseeing the push of the retailer's entire REDcard portfolio to EMV, months in advance of the card brands' October 2015 deadline. At that time, fraud liability in the event of a data breach will shift at to the weakest link in the payment transaction chain, which many expect will be merchants who are not EMV compliant.
Target said that, by early 2015, its branded credit and debit REDcards would be enabled with MasterCard Worldwide's chip-and-PIN-based EMV solution and its existing co-branded cards would be reissued. Target also said new EMV-complaint POS terminals would be installed in all of the retailer's 1,797 U.S. outlets by September 2014. Target has earmarked $100 million for its push to EMV.
Meanwhile, the May 5, 2014, resignation of Target's Chief Executive Officer, Gregg Steinhafel, may not have been entirely driven by the breach. Target's fourth quarter 2013 profits plummeted 46 percent, seemingly in direct consequence to the breach. However, Target's business model is under pressure from such growing trends as omnichannel shopping and showrooming, and a change at the top can be seen as a response to larger macroeconomic forces. Target Chief Financial Officer John Mulligan stepped in to serve as interim President and CEO.
Despite accelerating its EMV timetable and making management changes, the massive Target data breach that occurred during the busiest shopping days of the 2013 holiday season lingers as a dark shadow over the company.
John Bycroft, Executive Vice President at U.K.-based fraud specialist Insider Technologies, applauded Target for taking the initiative and stepping up its transition to EMV. However, he believes EMV would not have prevented the breach. "Implementation of EMV by Target would not in any way, shape or form prevent from happening what previously happened," Bycroft said.
It has been reported that the source of the Target breach was an email phishing attack on Target's HVAC vendor and that Target's security team overlooked red flags that could have minimized the effects of the data breach.
Bycroft equated what happened at Target to the theft of an expensive and well maintained sports car. "There's a spare key to this car and it's hanging on the hook in the kitchen," he said. "What happens is the cleaners come in … and take it. And that's what happened with Target." The company may have been Payment Card Industry Data Security Compliant, but human error and opportunity circumvented security, something that EMV could not have prevented, he said.
Ironically, Target initiated a previous transition to EMV in the early 2000s. Mansour Karimzedah, Managing Director and Chief Technology Officer at the SCIL-EMV Academy, remembers it well. "We all said, 'Wow, now that Target is going EMV, everybody else will," he noted. "But after awhile, maybe a year, less than a year, they stopped that project and said they really didn't need EMV in the U.S."
Karimzedah believes that if Target had gone to EMV back then, the 2013 breach could have been minimized. He said when EMV is initially implemented, chip cards still come with mag stripes, so that the cards can be used to make purchases on legacy POS systems that only accept mag stripe-based payments. But when such cards are used, transaction data includes that the cards are chip-based. Such is not the case when the cards are only enabled for mag stripe, according to Karimzedah.
When the Target hackers took the stolen payment data and encoded counterfeit cards on mag stripe cards, there was no way for Target to differentiate between the counterfeited mag stripe cards and the original mag stripe cards. But if the cards had been EMV-enabled at the outset, Target could have more easily identified the bogus cards as fraudulent, Karimzedah said.
"So if they had gone ahead and implemented EMV a few years ago, by now most of their terminals would be EMV and most of their cards would have been EMV," he noted. "They could have probably protected [the data] earlier on … and quickly stopped it."
The SCIL-EMV Academy is offering its new QuickStartEMV platform that allows issuers and processors to migrate to EMV chip and PIN technology without them having to replace their legacy systems. Karimzedah said QuickStartEMV is modular-based, allowing businesses to select the EMV components they want to implement in conjunction with their existing systems, resulting in reduced migration costs.
Karimzedah believes the Target breach awakened businesses to the necessity to make the EMV transition, but it's been a slow process. "More and more stakeholders are starting to think and actually do some EMV work," he said. "The ones that need to order cards, they are starting to order cards. They also need to buy terminals, and they are starting to order terminals."
Judging by the EMV transitions in the U.K. and Canada, the United States migration will take some time to complete. Karimzedah said both markets, approaching a decade each in length of transition time, are still not 100 percent EMV-compliant. "So it's not going to be black and white where, come October 2015, everybody is going to be done," he said. "It's going to be a long time. It's going to be many years before we are all done."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.