WASHINGTON—Target CFO John Mulligan told the Senate Judiciary Committee that his company, which was the target of a massive data breach in late 2013, has begun the process of implementing secure EMV cards at all of its stores.
Mulligan said that about 300 Target stores in the United States (all in California) have already been equipped with EMV or “Chip and PIN” technology, and that the entire chain would be equipped with the appropriate card readers by the end of 2014, and would have them in operation by January 2015.
Mulligan also said that the company’s own credit and debit cards would be equipped with EMV (Europay, MasterCard, Visa) chips by the end of 2014. “Target is accelerating our investment in chip technology for our Target REDcards and stores’ point-of-sale terminals,” Mulligan said in his testimony. “We believe that chip-enabled technologies are critical to providing enhanced protection for consumers, which is why we are a founding, and steering committee, member of the EMV Migration Forum at the SmartCard Alliance.”
Ironically, Target was the first major retailer in the U.S. to attempt to implement EMV card technology in 2003, but was forced to abandon the attempt because of lack of support from the payment card and banking industries. Mulligan noted in an article he published on Target’s Website that his company already uses EMV technology at its Canadian stores where it has seen a 72 percent drop in credit card fraud.
Mulligan was hardly alone in his call for EMV-equipped cards. Virtually every witness at the Judiciary Committee hearing and in the Senate Banking Committee’s subcommittee on National Security and International Trade and Finance hearings held on Feb. 3, called for implementation of chip and PIN cards as soon as possible. Likewise, Sen. Mark Warner (D-Va) who chaired that hearing, repeatedly pressed witnesses on reasons for delays in adopting the chip and PIN system.
There were exceptions. Michael Kingston, CIO for Neiman Marcus declined to say that his company would actively move to EMV technology, noting that the company currently has no PIN pads at point of sale terminals. However he did say that if new legislation were to require such security, the company would comply.
Kingston said in his testimony that the Neiman Marcus data breach was limited to relatively short periods of time at some stores. Other witnesses strongly supported the implementation of EMV technology as soon as possible.
Consumers Union counsel Delara Derakhshani told the Committee that the organization has been working hard to help consumers avoid getting caught up in data breaches, but that basic protections such as EMV equipped cards are necessary.
Target Tells Senate It’s Speeding Up Plans to Accept EMV Credit Cards
“The credit cards and debit cards most Americans use are surprisingly vulnerable to fraud, relying on decades-old technology that makes them susceptible,” she said. When asked why it was taking so long for American consumers to be protected by the technology already in common use everywhere else in the world, Derakhshani said that it was because it costs money. Many merchants and banks are reluctant to spend the money if they don’t have to.
Previous efforts to implement more secure payment card standards through legislation have spent years being tied up in conflicting demands between banks, merchants and card issuers, a problem that Sen. Warner noted in the February 3 hearing.
“We don’t need another long-term fight between the bankers, the retailers and the card industry,” Warner said. “Many of us have gone through that kind of battle.” He said that a repeat of such a conflict in an attempt to get a solution serves no one. “The hackers in Russia, China, Ukraine and throughout the world are not waiting for America to get its act together on this issue. They are continuing to strike us every day,” Warner said.
During the hearing Target’s Mulligan revealed that the malware that infected the company’s POS terminals was specifically designed to overcome attempts to detect it while making use of specialized features in the POS system to gather and exfiltrate the information without detection. He said that originally the malware was introduced into Target’s system through a compromised contractor who had access to the company’s data system.
If anything became apparent during today’s hearings, it was that the greatest single obstacle to adopting a more secure payment card system in the United States is inertia. The banks are trying to avoid spending money on an improved system as are the card issuers. In addition, many merchants are fighting the increased security because they don’t want to buy the chip and PIN terminals that are required to read the cards.
One other thing was clear and that was everyone said that they’d agree to move forward if legislation required it. But in the absence of legislation, there is one other force that can make a difference—consumers. If consumers begin to demand that merchants provide chip and PIN EMV support, the merchants will have little choice but to demand it from their banks and card issuers. In addition, it’s worth seeking out companies that already support EMV cards, and shop there.