The Green Sheet Online Edition
May 26, 2014 • Issue 14:05:02
Target breach may be U.S. EMV catalyst
The fallout continues from the 2013 holiday-season data breach at Target Corp. But a relative bright spot from the breach, in which an estimated 100 million card accountholder details were compromised, is that the sluggish transition of the U.S. payments infrastructure from a mag stripe-based to a Europay/MasterCard/Visa (EMV) -based system seems to have picked up steam.
In late April 2014, Target appointed Bob DeRodes to helm the brand's EMV transition. As Executive Vice President and Chief Information Officer at Target, DeRodes' job includes overseeing the push of the retailer's entire REDcard portfolio to EMV, months in advance of the card brands' October 2015 deadline. At that time, fraud liability in the event of a data breach will shift to the weakest link in the payment transaction chain, which many expect will be merchants who are not EMV compliant.
Target said that by early 2015, its branded credit and debit REDcards would be enabled with MasterCard Worldwide's chip-and-PIN-based EMV solution and its existing co-branded cards would be reissued. Target also said new EMV-compliant POS terminals would be installed in all of its 1,797 U.S. outlets by September 2014. Target has earmarked $100 million for its push to EMV.
Meanwhile, the May 5, 2014, resignation of Target's Chief Executive Officer, Gregg Steinhafel, may not have been entirely driven by the breach. Target's fourth quarter 2013 profits plummeted 46 percent, seemingly in direct consequence to the breach. However, Target's business model appears to be under pressure from such growing trends as omnichannel shopping and showrooming. A change at the top can be seen as a response to macroeconomic forces. Target Chief Financial Officer John Mulligan stepped in to serve as interim President and CEO.
The case of a spare set of keys
Despite Target's accelerated EMV timetable and management changes, the massive Target data breach that occurred at the height of the 2013 holiday shopping season remains a dark shadow over the company.
John Bycroft, Executive Vice President at U.K.-based fraud specialist Insider Technologies Ltd., applauded Target for stepping up its transition to EMV. However, he believes EMV would not have prevented the breach. "Implementation of EMV by Target would not in any way, shape or form prevent from happening what previously happened," Bycroft said.
It has been reported that the source of the Target breach was an email phishing attack on Target's HVAC vendor and that Target's security team overlooked red flags that could have minimized the effects of the breach.
Bycroft equated what happened at Target to the theft of an expensive and well-maintained sports car. "There's a spare key to this car and it's hanging on the hook in the kitchen," he said. "What happens is the cleaners come in - and take it. And that's what happened with Target." The company may have been Payment Card Industry Data Security Compliant, but human error and opportunity circumvented security, something that EMV could not have prevented, he said.
Target's costly delay
Ironically, Target initiated a previous transition to EMV in the early 2000s. Mansour Karimzedah, Managing Director and Chief Technology Officer at the SCIL-EMV Academy, remembers it well. "We all said, 'Wow, now that Target is going EMV, everybody else will," he noted. "But after awhile, maybe a year, less than a year, they stopped that project and said they really didn't need EMV in the U.S."
Karimzedah believes that if Target had gone to EMV back then, the 2013 breach could have been minimized. He said when EMV is initially implemented, chip cards still come with mag stripes, so the cards can be used to make purchases on legacy POS systems that only accept mag stripe-based payments. But when such cards are used, transaction data indicates the cards are chip-based. Such is not the case when the cards are only enabled for mag stripe, according to Karimzedah.
When the Target hackers took the stolen payment data and encoded counterfeit cards on mag stripe cards, there was no way for Target to differentiate between the counterfeited mag stripe cards and the original mag stripe cards. But if the cards had been EMV-enabled at the outset, Target could have more easily identified the bogus cards as fraudulent and quickly have stopped the data theft, Karimzedah said.
EMV activity picking up
The SCIL-EMV Academy is offering its QuickStartEMV platform that allows issuers and processors to migrate to EMV chip and PIN technology without having to replace their legacy systems. Karimzedah said QuickStartEMV is modular-based, allowing businesses to select the EMV components they want to implement in conjunction with their existing systems, resulting in reduced migration costs.
Karimzedah believes the Target breach awakened businesses to the necessity of the EMV transition, but it's been a slow process. "More and more stakeholders are starting to think and actually do some EMV work," he said. "The ones that need to order cards, they are starting to order cards. They also need to buy terminals, and they are starting to order terminals."
Judging by the EMV transitions in the U.K. and Canada, the United States migration will take some time to complete. Karimzedah said both markets, approaching a decade each in length of transition time, are still not 100 percent EMV-compliant. "So it's not going to be black and white where, come October 2015, everybody is going to be done," he said. "It's going to be a long time. It's going to be many years before we are all done."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.