Data-drained Target hurries to adopt chip-and-PIN cards

Data-drained Target hurries to adopt chip-and-PIN cards

Chip and PIN image courtesy of ShutterstockTarget will adopt chip-and-PIN payment card security for its debit and credit cards, it announced on Tuesday, setting itself up to become probably the first major retailer in the US to take the plunge.

Beginning in early 2015, the horrifically hacked, still scrambling retailer will try to strengthen its bludgeoned security by plugging MasterCard’s chip-and-PIN security into its entire REDcard portfolio.

Chip-and-PIN systems are already widely used in Europe and elsewhere, while the US has been verrrrrrry sloooooooowly inching toward adoption of what’s widely considered to be far more fraud-proof payment cards.

In fact, the large-scale theft of payment card data from the likes of retailers Target and Neiman Marcus have focused attention on the problem of the US’s stubborn refusal to back away from magnetic stripe cards.

Two major credit card companies, MasterCard and Visa, have plans to change to chip and PIN and have both recently set October 2015 as an important deadline in the switch, according to the Wall Street Journal.

Chip-and-PIN cards rely on a microchip embedded in the card, as opposed to the magnetic stripe on the back of nearly all cards used in the US.

The data on that magnetic stripe – known as track data – can be used to fairly easily create counterfeit cards by encoding the data onto any card with a magnetic stripe.

The chips on chip-and-PIN cards, in contrast, can’t be duplicated.

The PIN part of the equation, meanwhile, is also a more secure authentication factor compared with what a card holder scribbles on the bottom of a receipt (a signature that merchants frequently don’t even bother to check).

Mind you, chip-and-PIN is by no means a foolproof payment card security system.

In 2008, Trojanised chip-and-PIN machines in Europe were reported to have been compromised during the manufacturing process.

These Trojanised devices sported additional internal hardware, including a GSM modem, to transmit phished credentials to cybercriminals in Pakistan.

There have also been problems with ATMs and point-of-sale systems (POSes) that process chip-and-PIN cards using random number generators that have proved to be anything but random.

Another weak spot is the PIN entry device (PED) – the device into which customers insert cards.

Cambridge University has demonstrated that two popular brands of PEDs used in the UK don’t encrypt data exchanged between the card and the PED during a transaction.

That means that crooks with “basic technical skills” can record the information and create fake cards that can then be used to withdraw cash from ATMs abroad, as well as at some ATMs in the UK, according to researchers.

But while chip-and-PIN cards and their readers have been demonstrably hackable, they’re still considered better than magnetic-stripe cards.

There are various reasons for why the US has balked at chip-and-PIN, including lack of PIN management features in ATM machines.

Another daunting prospect is that of replacing the extremely extensive existing infrastructure that supports magnetic stripe cards.

A recent payment systems industry white paper compares the changeover to a nationwide replacement of all standard-speed rail service with high-speed trains.

It will be pricey, and it will be tough, given that, as industry sources estimate, the existing infrastructure spans 15 million magnetic stripe POS devices. There were more than 360,000 ATMs as of 2007, credit cards number around 609.8 million, and there are an estimated 520 million debit cards.

The cost to upgrade to chip-and-PIN, as estimated by Javelin Strategy and Research, is about $500 million for ATM upgrades and at least $8 billion to implement EMV – that stands for Europay, MasterCard and Visa, with the acronym designating a global standard for interoperation of these integrated circuit cards.

Target’s chip-and-PIN announcement puts it on track to become probably the first major retailer in the US to bite the bullet on these daunting changes and sky-high costs as it moves to chip-and-PIN.

It will be interesting to see which other major retailers follow that big red Target dot as it bounces toward chip-and-PIN and how long it will take them to get there.

It will be even more interesting to see what widespread chip-and-PIN adoption will do to the rate of credit card fraud in the US, which is far higher than you find in other countries.

As Business Week reported in December 2013, the US last year accounted for 47% of global fraud, while processing just 24% of the payments by volume.

Finally, the US might just well be on the path to seeing that unenviable number shrink.

Image of chip and PIN courtesy of Shutterstock.