Target looks to reassure consumers with move to chip and pin
Target slates rollout of chip and pin for its payment cards for next year
IDG News Service - Target is upgrading the security of its store-branded payment cards and making other network improvements as it seeks to restore confidence after one of the largest-ever data breaches last year.
The retailer will upgrade three types of payment card it uses to support chip-and-pin technology, where a microchip on the card holds customer data to improve security. It will also update its payment terminals to accept chip and pin, at a total cost of $100 million.
Visa and Mastercard have set a deadline for U.S. retailers to be able to accept chip-and-pin cards by October 2015. If the deadline isn't met, the liability for fraudulent purchases made with chip cards resides with retailers.
Target spokeswoman Molly Snyder said Tuesday the company already had plans to accommodate chip-and-pin cards, widely used in Europe and elsewhere, but has accelerated its technology upgrade by about six months.
Avivah Litan, a vice president at Gartner with expertise in payments, said chip-and-pin cards would in theory have prevented Target's data breach in which it lost 40 million payment card records via malicious software on its network.
She said Target's move is more than symbolic even though the retailer was already moving to chip-and-pin. It gives customers a more secure way to pay using Target's branded cards, she said.
"It's good for consumers, and in the end, probably going to be good for Target," Litan said.
Target has been under intense pressure to shore up its network following the breach. It is facing 80 civil lawsuits and inquiries from regulators including state attorneys general, the Federal Trade Commission and the U.S. Securities and Exchange Commission, according to its March 14 annual report.
Starting next year, Target will upgrade its debit cards, called REDcards, which account for around 20% of Target's sales, to chip and pin.
The cards include a credit card and a debit card that Target issues and can only be used at its stores. The upgrade also applies to a credit card co-branded with MasterCard that can be used anywhere, Snyder said.
Target is also rolling out new software and payment terminals compatible with chip and pin to its 1,797 U.S. stores by next September.
So far, cybercriminals haven't been able to steal sensitive data from the microchip of chip-and-pin cards, although some computer security researchers have found ways to attack the system.
Visa and MasterCard have long championed chip and pin as a replacement for magnetic stripe cards. Data can be easily copied from the magnetic stripe with off-the-shelf equipment.
Chip-and-pin cards still have a security hole, however: most still have the magnetic stripe, since they wouldn't work at most U.S. stores today without it. That could change as the U.S. moves toward full chip-and-pin compliance, but the transition could take years.
Target hasn't said if it will dispense with the magnetic stripe for the two cards that can only be used at its stores, Snyder said. But Litan said that would make sense.
"Target could remove those mag stripes from those cards since because they have a 'closed ecosystem,'" Litan said, meaning the cards are only used at its own stores.
The retailer said it is also enhancing monitor and logging across its network. In March, Target admitted its security dismissed early signs of the data breach that showed up in its logs.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!