The data breach disclosed by Supervalu on Thursday shows yet again why the ongoing migration of the U.S. payment system to smartcard technology can't happen soon enough.
Supervalu is one of the largest grocery wholesalers and retailers in the U.S., and the breach could affect thousands of people who shopped at the company's stores between June 22 and July 17, as well as customers from several other major grocery store chains for which Supervalu provides IT services. Supervalu has posted an online FAQ (download PDF) with details about the breach, which followed a criminal intrusion into its payment processing network.
The U.S. is the last among the developed nations to still predominantly use credit and debit cards based on magnetic stripe technology. Most other advanced countries cut to chip-based cards based on the Europay MasterCard Visa (EMV) standard a long time ago.
EMV-based smartcards have proved to be considerably safer to use than magnetic stripe cards because they are almost impossible to clone. Crooks who manage to steal data from a smartcard would be unable to do use it create a fraudulent card as they often do with magnetic stripe cards.
In many of the countries that have adopted the technology, users are required to enter a Personal Identification Number (PIN) instead of a signature when using the card, thus making them almost unhackable. Even if hackers are able to gain access to a smartcard they need to know the PIN in order to use it.
In the U.S., MasterCard and Visa have set a deadline of October 2015 for all retailers to begin supporting EMV smartcards. After that deadline, any retailer that has not yet made the move would be held liable for the costs of a data breach.
The credit card companies have not mandated the use of PINs in the U.S. Instead, the they have left it up to retailers and card-issuing banks to decide whether to require a PIN.
The National Retail Federation (NRF) and other retail industry trade groups have raised a ruckus over this issue. They have claimed that moving to smartcards without having a mandatory PIN is a half-baked move. They have noted, for example, that EMV technology does little to prevent crooks from using stolen card numbers to make online or phone purchases.
In numerous position papers and statements over the past several months, they have proposed alternatives to EMV technology such as tokenization and end-to-end encryption, which they argue is cheaper and more effective.
According to the NRF and others, if the U.S payment industry has to embrace more secure technology, it makes sense to move to something that addresses both current and emerging security threats and not just part of the problem like smartcards do.
While such concerns might have merit, they ignore time constraints.
Cybercrooks are not waiting for the U.S retail industry to debate the merits and demerits of different technologies. In recent years, much of the credit and debit card fraud has migrated from other countries to the U.S simply because magnetic cards are a much easier target than smartcards.
Smartcards will almost certainly make it harder for crooks to perpetrate payment card fraud. While the cards may not be perfect, they are safer than magnetic stripe cards. There's nothing to stop merchants from implementing a PIN requirement if they want to. Nor is there anything to prevent merchants from adopting end-to-end encryption or other tokenization measures as additional security measures to bolster card security.
Implementing better security is going to cost money, with estimates into the billions of dollars. Across the U.S., merchants will need to replace or upgrade an estimated 13 million point-of-sale systems to make them ready for EMV card transactions. But the alternative is more data breaches of the sort that Supervalu acknowledged this week.
And those often prove even more costly to remediate than just implementing more secure technology in the first place.
Just ask Target.