Will Target Go Down as the Tylenol of Payments Security?

Consumer banking

Target Breach Cost to Banks: $172 Million -- and Counting

The squabbling over who is responsible for the massive data breach at Target stores resumed Thursday when a group representing retail banks rolled out a new set of numbers detailing how much the breach has cost banks.

By Alan Kline

February 6
Bank technology

Target Hackers Lurked for Months Before Pouncing at Holidays

The latest investigation into the massive data breach at Target has found that hackers entered the retailer's network by stealing a vendor's password and then patiently waited until the busy holiday season to strike.

By Penny Crosman

February 11
Bank technology

Cheat Sheet: What Bankers Need to Know About the Target Breach

How could this happen? Why is the U.S. payments industry still using archaic and notoriously insecure magnetic stripe card technology? And will the episode change anything? American Banker answers frequently asked questions about the Target breach.

By Penny Crosman

January 22

Editor's Note: This post originally appeared on PaymentsSource.

Retail giant Target Corp.'s headache-inducing data breach brings to mind the 1982 Tylenol poisoning crisisan event that drug maker Johnson & Johnson handled with such aplomb that it restored public confidence in its medicine, altered the way retailers handle product safety and established itself as the gold standard for crisis management.

Johnson & Johnson achieved all this with a relatively simple trick: introducing tamper-proof bottles. The question Target faces is whether it can pull off a similar feat by introducing tamper-proof cards.

Even before the massive Target breach, the U.S. payments industry was on the path to replacing the aging magnetic-stripe card with a counterfeit-proof EMV "chip and PIN" version. Merchants, banks and processors are also considering options such as encryption and tokenization, which scramble or eliminate card data as its swiped.

U.S. merchants are currently under pressure from major card brands like Visa and MasterCard to accept EMV-equipped cards by October 2015. Target has indicated it plans to deploy EMV-capable terminals six months ahead of schedule. Some financial institutions have also sped up EMV card issuance plans in the wake of the Target breach.

But is EMV really the answer? Its main security benefit is deterring duplication of physical cards. The chips are of no use in so-called card-not-present transactions involving online and mobile commerce. Whats more, a U.S. court ruling has muddied the legal landscape for use of EMV chips with debit cards and is likely to postpone adoption in this giant market.

EMV alternatives, including encryption and tokenization, had their own Tylenol moment four years ago. Thats when processor Heartland Payment Systems was hit with a massive data breach. Heartland even referenced the Tylenol incident in marketing end-to-end encryption services. Yet the Heartland breach failed to spawn a security revolution big enough to prevent similar crises at Target, Neiman Marcus and other retailers.

That raises the question: Will this time be different and Target become the payment industrys Tylenol?

Maybe. Before the Target breach, many merchants were apparently willing to delay or ignore the card networks' deadline for adopting EMV and ready to face the consequences. Now, even merchants who remain unsold on EMV as cost-effective security may view incorporating the technology as unavoidable.

For their part, Visa and MasterCard have not sped up their timeline for EMV adoption in the wake of the Target breach. Meanwhile, some of their bank partners are already looking past EMV to more higher-tech approaches to payments security.

Daniel Wolfe is Editor in Chief of PaymentsSource and contributing editor for American Banker.

Daniel Wolfe

Content Director, Payments and Credit Unions, American Banker

	About Daniel
twitter	wolfewriter
mailto	daniel.wolfe@arizent.com
linkedin	daniel-wolfe-5947087