How Target's Credit Card Security Breach Could Have Been Avoided

NEWS ANALYSIS: A simple security measure used widely, except in the U.S., would have prevented the theft of 40 million customer mag stripes from Target.


When thieves broke into the point-of-sale (POS) system at Target, they stole the data from the magnetic stripe on the back of credit and debit cards. Target, like virtually all other stores in the United States, depends on that information on the magnetic stripe to read all the relevant credit card information to make a sale.

But it doesn't need to be that way. In fact, Target could have used an alternate version of its card readers that would have protected credit card customers that had an embedded chip in the card.

I first found out about how those chips, called EMV chips, actually work when I needed one, but didn't have one. I was in line on my first day at CeBIT in Hannover, Germany, to buy my lunch in the press building cafeteria. I handed my credit card to the cashier, and everything stopped. The people in front of me had been passing through with hardly a pause, but the cashier looked at my card and then asked if I had another one.

It turned out that the POS terminals in the cafeteria used EMV chips, rather than the mag stripe on the back of the card. Eventually, they found a cash register with a mag stripe reader, and I was able to pay for my Weiner Schnitzel. But as soon as I got back to the United States, I called my card issuer and was sent a new card with the EMV chip.

The EMV chip that's embedded in my credit card is actually a microprocessor that holds an encrypted version of the information that's on the mag stripe. It establishes communication with the POS terminal and passes the credit card information to it, keeping the data encrypted. If thieves managed to steal the data, which is unlikely, it would still be encrypted and difficult, if not impossible, to use.

The problem is that for the EMV chip to be useful, the customer has to have the embedded chip, and the merchant has to have a card reader that can read it. Those card readers are actually installed in some stores in the United States now, but many don't want to spend the money to upgrade to new card readers.

How do you know if the store you're visiting has such a card reader? For the contactless version, you may see a note on the reader that says something like "Slide your card or tap here" on the card reader where you pay for your purchases. For the EMV reader that contacts the chip directly, you may have to ask.

Then there's the other part of the equation—getting cards with EMV chips into the hands of customers. It turns out that for some card issuers, it's not a problem and it doesn't cost the customer anything.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...