BUSINESS JOURNAL: Time For An Upgrade?

Target Breach Spotlights Outdated Card Tech

Posted: January 29, 2014

Customers shop at the Target on East Market Street in Harrisonburg. A massive data breach may push retailers and banks to move more quickly to adopt "smart card" technology, already in use in Europe. (Photo by Nikki Fox / DN-R)

HARRISONBURG — The massive Target data breach could be the catalyst that finally pushes the U.S. to adopting credit and debit card technology already in use in many other countries.

The nation’s No. 2 retailer announced on Jan. 10 that hackers had stolen the personal financial information of an estimated 70 million to 110 million customers, far more than the 40 million Target originally disclosed in December.

Now, the National Retail Federation is urging the adoption of so-called smart card technology that uses both a computer chip and a personal identification number.

PIN and chip cards use unique user identification pass codes and computer chips embedded in cards — rather than magnetic stripes — to complete transactions.

PIN and chip technology, which has been around since the 1990s, has been in use in Europe for years, but the U.S. has been slow to move from away magnetic stripes.

Stripe technology is about a half-century old and is much easier for hackers to take advantage of.

Visa and MasterCard intend to begin migrating to smart cards in October 2015, according to published reports, but Target’s woes have thrust the issue into the spotlight.

Data Stolen

During the height of the holiday shopping season, cyber criminals using a simple software program stole data from Target customers when they swiped their credit and debit cards at terminals in stores throughout the nation, explained Harry Reif, a computer information systems professor at the James Madison University College of Business.

After being installed in Target’s system, the software captured users’ data and sent it to a database for scammers to harvest to commit fraud, said Reif.

Neiman Marcus may also have been affected, he added.

On Jan. 21, National Retail Federation President and Chief Executive Officer Matt Shay sent a letter to Senate Majority Leader Harry Reid, D-Nev., and House Speaker John Boehner, R-Ohio, reiterating the lobbying group’s long-standing position in favor of PIN and chip cards.

The banking and retail industries point fingers at each other for holding back the adoption of more secure card technology.

NRF is in favor of cards with both microchips and PINs. Because signatures are easily forged, PINs are more secure, the organization contends.

“For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN and chip card technology for customers in Europe and dozens of other markets,” Shay said, according to a news release.

Financial institutions, however, say customers must be able to use the technology at stores.

“The faster we move to it, the safer member information [will be], and fraud will decline just because it’s a better technology,” said John Beiler, president and chief executive officer of Harrisonburg-based Park View Credit Union. “What’s holding it back now is it does require new equipment at the merchants’ point of sale.”

‘Shared Responsibility’

Mallory Duncan, spokesman for the NRF, said in an interview that the organization believes the transition must be a “shared responsibility.”

Duncan didn’t have an estimate for how much it could cost retailers and bankers to implement the new technology, but said it would be “many billions of dollars.”

It’s also not clear whether PIN and chip cards would have prevented Target’s data breach, he said.

“I don’t think we know enough about the Target breach to know whether it would have happened in that particular case,” Duncan said. “Details are still coming out, but what we do know is that where PIN and chip technology is used, fraud drops dramatically.”

Contact Jeremy Hunt at 574-6273 or jhunt@dnronline.com