How Target's Credit Card Security Breach Could Have Been Avoided

 
 
By Wayne Rash  |  Posted 2013-12-24
 
 
 
security

How Target's Credit Card Security Breach Could Have Been Avoided


When thieves broke into the point-of-sale (POS) system at Target, they stole the data from the magnetic stripe on the back of credit and debit cards. Target, like virtually all other stores in the United States, depends on that information on the magnetic stripe to read all the relevant credit card information to make a sale.

But it doesn't need to be that way. In fact, Target could have used an alternate version of its card readers that would have protected credit card customers that had an embedded chip in the card.

I first found out about how those chips, called EMV chips, actually work when I needed one, but didn't have one. I was in line on my first day at CeBIT in Hannover, Germany, to buy my lunch in the press building cafeteria. I handed my credit card to the cashier, and everything stopped. The people in front of me had been passing through with hardly a pause, but the cashier looked at my card and then asked if I had another one.

It turned out that the POS terminals in the cafeteria used EMV chips, rather than the mag stripe on the back of the card. Eventually, they found a cash register with a mag stripe reader, and I was able to pay for my Weiner Schnitzel. But as soon as I got back to the United States, I called my card issuer and was sent a new card with the EMV chip.

The EMV chip that's embedded in my credit card is actually a microprocessor that holds an encrypted version of the information that's on the mag stripe. It establishes communication with the POS terminal and passes the credit card information to it, keeping the data encrypted. If thieves managed to steal the data, which is unlikely, it would still be encrypted and difficult, if not impossible, to use.

The problem is that for the EMV chip to be useful, the customer has to have the embedded chip, and the merchant has to have a card reader that can read it. Those card readers are actually installed in some stores in the United States now, but many don't want to spend the money to upgrade to new card readers.

How do you know if the store you're visiting has such a card reader? For the contactless version, you may see a note on the reader that says something like "Slide your card or tap here" on the card reader where you pay for your purchases. For the EMV reader that contacts the chip directly, you may have to ask.

Then there's the other part of the equation—getting cards with EMV chips into the hands of customers. It turns out that for some card issuers, it's not a problem and it doesn't cost the customer anything.

How Target's Credit Card Security Breach Could Have Been Avoided


"Beginning in September this year [2013], all U.S. Consumer and OPEN cards—with  the exception of Costco and Delta Skymiles—are now available, and enabled with chip and signature," American Express spokesperson Sanette Chao wrote in an email to eWEEK. "The cards can be received by a Card Member upon request."

Chao said that appropriate equipment is also available to merchants. "Merchants in the U.S. can get a card reader that will work with embedded chip products—merchants can get these from POS and terminal manufacturers." Chao noted that American Express doesn't sell those readers and terminals and can't speak to the cost involved, but said that integrating them with American Express can be handled by the merchant directly or through a credit card processor.

"For American Express' embedded chip products, merchant terminals typically require both hardware (to read the contact EMV chip and contactless chip as applicable) and American Express EMV software to read and interact with the chip and process incremental chip data," Chao wrote. "Once loaded with American Express software, merchants are required to certify their devices with American Express (or through their processor) to align with our requirements when accepting our products."

Other credit card companies are also working on the problem. According to MasterCard spokesperson Jim Issokson, the company has issued a road map to move to cards with embedded chips, but actually doing it is up to the card issuer and merchant.

"We introduced our road map for the future of payments—including  EMV—in 2012," Issokson said in an email. "The road map and larger migration have provided issuers and merchants with the flexibility to manage their business and technology decisions. The dates established in the road map are when liability shifts will take effect and not deadlines."

This means that card issuers can decide when, or even if, they will take steps to improve credit card security for customers. A call to Bank of America, for example, revealed that while their credit cards can be embedded with EMV chips, debit cards cannot.

Fortunately, the tide is turning, meaning that major breaches such as that at Target may eventually become a thing of the past. "In the past year, the payments industry has seen a higher demand from merchants for EMV-enabled terminals in the U.S. as EMV technology offers enhanced security and the potential for reduced card fraud, and American Express is actively working with terminal manufacturers, processors and merchants to align with our requirements for our embedded chip payment products," American Express' Chao said. Meanwhile, you can request a secure card, and then ask the store if they can use it.

Rocket Fuel