National Retail Federation: Target Breach Shows Need For Upgrades
In the wake of the holiday season data theft Target and other retail chains suffered, the National Retail Federation is calling for upgrades to credit card security mechanisms. But one electronic transaction group says that won’t solve all the issues.
First it sounded really bad. Then it got a lot worse.
Now a major retail association is calling for some major changes to payment processing systems that millions of stores nationwide rely on, as reports about the nature of the hacking incident that affected Target and other retailers suggest more fundamental problems for the industry. More details:
The latest details: Last week, Target revealed that the payment card data breach it initially pegged as affecting as many as 40 million customers also put the personal information of as many as 70 million people at risk, with data thieves gaining access to their names, addresses, and phone numbers. “This theft is not a new breach, but was uncovered as part of the ongoing investigation,” the company stated. Target is offering a year of free credit monitoring and identity theft protection to its shoppers who were affected by the breach.
Not limited to Target: The Neiman Marcus department store chain also was hit by data theft over the holidays, and according to a Reuters report, at least three other well-known retail chains have suffered from similar incidents, though none on Target’s scale. While laws requiring disclosure of such retail breaches exist, the Target and Neiman Marcus disclosures only became public after stories by security journalist Brian Krebs raised questions. American Bankers Association spokesman Doug Johnson says that even if credit card processors are aware of breaches, they cannot reveal the retailer affected. “It is really frustrating to the bank and also the customer,” Johnson told Reuters.
A push for better security: Mallory Duncan, general counsel for the National Retail Federation, has suggested that much of the problem lies with the outdated credit and debit card technology still in use. Much of the world uses cards that contain built-in digital chips that require users to input a PIN each time the card is used and tie each transaction to a unique code, making stolen credit card data less useful to hackers. But the technology has not been widely adopted in the U.S. due to its higher cost and the perception that retail fraud has remained a manageable. But after the recent breaches, the NRF is encouraging its members to transition to more-secure systems. “The technology that exists in cards out there is 20th-century technology, and we’ve got 21st-century hackers,” Duncan told Reuters.
Complications: As the Associated Press notes, one big question is who would pay for the upgrades. Would it be the retailers, the credit card companies, or the banks? For its part, the Electronic Transactions Association, which represents payment processors, says that the industry is already working on security upgrades—including chip-based Europay, MasterCard, and Visa (EMV) cards—but that they won’t completely solve the problem. “[T]he EMV migration and the Target breach are different things,” ETA CEO Jason Oxman wrote in a USA Today op-ed. “It’s true that EMV chip cards can prevent criminals from producing counterfeit cards using stolen account numbers. But EMV doesn’t stop criminals using stolen cards online. So innovators are deploying new technologies to deter other forms of fraud.”
ETA offers card users a series of tips to help protect data, including how to manage passwords and pins and send “fraud alerts” to credit reporting agencies.
(photo by Justin Sullivan/Getty Images)