Following a breach at Target and a host of other incidents, retailers are seeking security solutions despite being PCI compliant.
By Pat Pape, Contributing Editor
The business world was stunned —and consumers outraged—when retail giant Target, with almost 2,000 stores in the U.S. and Canada, admitted to a major security breach in late 2013.
According to news reports, malware on the computer of a Target HVAC contractor traveled into Target’s point-of-sale (POS) system. It quickly collected shoppers’ credit card information and transmitted it to hackers believed to be in Eastern Europe. The hackers used the stolen data to create fake cards that were sold on the black market. The breach, which threatened the personal information of between 40-70 million Target customers, is believed to be the largest in U.S. retail history.
Target raised more eyebrows in March when officials acknowledged that the stores’ computer security system was notified of suspicious activity on its network at the time of the breach, but management ignored the warning. So far, Target claims to have spent more than $60 million as a result of the data theft and faces more than 80 lawsuits. The company’s reputation has taken a severe beating, with fourth-quarter profits dropping 46% from the same period in 2012.
Recently, John Mulligan, Target’s chief financial officer, posted an article on the company’s Website urging American businesses to push for the introduction of smart cards, also known as EMV cards (Europay, MasterCard, Visa) or chip-and-pin cards. Currently, the technology is used in about 80 countries, and plans are under way for Visa to bring it to the U.S. late next year. Mulligan believes updating U.S. credit and debit cards with chip-enabled technology would help prevent a situation similar to Target’s.“The technology is already widely used throughout the world,” Mulligan said. “For many reasons, the U.S. has been slow to embrace the technology at home.”
Made in the USA
The typical U.S. credit card contains a magnetic strip with its owner’s personal information. Because magnetic strips are easily copied, those cards can be cloned inexpensively. By contrast, the smart card contains a chip holding the same information, but the card user must input a PIN (personal identification number) or sign for the purchase in order to use the card. Duplicating a chip-and-pin card would require expensive and sophisticated equipment, which at this time would not be cost-effective for criminals.
George Odencrantz, vice president of IT at Sinclair Oil Corp. in Salt Lake City, doesn’t believe chip-enabled cards could have prevented the Target breach, although the stolen information would have been devalued.
“Many people think chip-and-pin is new, but it’s not,” he said. “It was invented in the late ‘80s or early ‘90s because of poor network communications in Europe. The chip itself is encrypted, but the transaction is not encrypted. Had there been chip-and-pin cards in use at Target, all those card numbers would have been exposed.”
Bob Russo, general manager of the PCI Security Standards Council headquartered in Wakefield, Mass., agreed with Odencrantz. “The breach probably would still have happened,” he said. “But if hackers stole the credit card data, they would not have been able to create [and sell] duplicate cards.”
Chip-and-Pin Solutions
U.S. retailers have been in no hurry to adopt chip-and-pin technology. An investment in new card readers, liability for fraud loss and ever-more-creative criminals has discouraged the conversion.
“There are lots of things that must happen not only from the infrastructure side—the banks—but from the merchant side, as well,” Russo said. “It’s probably going to be a rather long migration if history is any indication. The last migration we have to look at, and which is still going on, is in Canada.”
Currently, Odencrantz sees no compelling reason for American business to run from magnetic strip cards and into the arms of chip-and-pin. One consideration is the cost retailers would incur to replace current card readers with those designed to handle chip-and-pin technology. Today, magnetic cards are swiped through a card reader, but chip-and-pin cards will be placed inside a reader, much like that of an ATM. He estimated that the price tag of an card-reader update could run as much as $20,000 per convenience store.
The average lifecycle of a typical card reader is 7-10 years, said Russo. And retailers aren’t prone to replace equipment before it’s needed. However, he advises retailers currently shopping for new card readers to consider purchasing hardware that can handle chip-and-pin cards since the technology will soon arrive on U.S. shores.
“By and large, the majority of merchants will have to re-terminalize,” said Russo, noting that the PCI Security Standards Council Website features a list of chip-and-pin card readers deemed PCI compliant. After Oct. 1, 2015, if a consumer uses a chip card at a store that hasn’t adopted the new chip-reading card, the store may be responsible for any fraud that results.
In addition to those issues, First Data, the global payment-processing company based in Atlanta, reports that chip-and-pin cards will cost between $2-$4 each. A magnetic strip card runs about 15 cents.
“It’s a lot when you put that in context,” Odencrantz said. “The fraud right now doesn’t justify the cost of chip-and-pin. Granted, there are some inconveniences to the individual [when a number is stolen and cards are cloned], but in general, the fraud dollars do not justify the incremental cost of doing these things—for the banks or the merchants.”
When it comes to credit card use, Americans enjoy the strongest consumer protection in the world. Thanks to regulations established by the Federal Reserve System and various court decisions, the U.S. victim of credit card fraud is out no more than $50 when a card number is stolen or a lost card is used. In fact, the rapid growth of online shopping in America has been attributed in part to the nation’s robust consumer protection laws.
Security First
While chip-and-pin offers benefits, some technology issues should be addressed before it arrives on U.S. shores, Odencrantz believes.
“When the [chip-and-pin] card is swiped at the register, it goes into the register’s memory in clear text and that is where it was taken [by the Target hackers], right out of the cash register memory,” he said. “Technology should be updated so that encryption is required at the reading of the card. The card information would be encrypted there and passed through the network encrypted. It would be unencrypted when it got to Visa or MasterCard or the processor.”
There are encrypted card readers available in the marketplace, but “They’re not widely in use today,” Odencrantz said. “If you’re going to upgrade for chip-and-pin, it’s silly not to upgrade for encryption.”
Controversy surrounding the transition to chip-and-pin—along with the ongoing efforts of cyber criminals —will continue. The new card format may impede hacking efforts, but retailers simply cannot rely on an updated credit-card technology to protect them from serious security threats. Effective security requires up-to-date technology, ongoing employee training, current PCI compliance and consistent vigilance, Russo said.
“Good security is not about complying with any one regulation or standard, and there’s a real need for a multilayer approach to protecting this data,” Russo said. “It’s about combining people, process and technology to make protecting payment-card data a daily, round-the-clock, business-as-usual practice.”