US retailer Target seeks to assure consumers with move to chip and pin

Target's rollout of chip and pin for its payment cards will begin next year

Target is upgrading the security of its store-branded payment cards and making other network improvements as it seeks to restore confidence after one of the largest-ever data breaches last year.

The retailer will upgrade three types of payment card it uses to support chip-and-pin technology, where a microchip on the card holds customer data to improve security. It will also update its payment terminals to accept chip and pin, at a total cost of $100 million.

Visa and Mastercard have set a deadline for U.S. retailers to be able to accept chip-and-pin cards by October 2015. If the deadline isn't met, the liability for fraudulent purchases made with chip cards resides with retailers.

Target spokeswoman Molly Snyder said Tuesday the company already had plans to accommodate chip-and-pin cards, widely used in Europe and elsewhere, but has accelerated its technology upgrade by about six months.

Avivah Litan, a vice president at Gartner with expertise in payments, said chip-and-pin cards would in theory have prevented Target's data breach in which it lost 40 million payment card records via malicious software on its network.

She said Target's move is more than symbolic even though the retailer was already moving to chip-and-pin. It gives customers a more secure way to pay using Target's branded cards, she said.

"It's good for consumers, and in the end, probably going to be good for Target," Litan said.

Target has been under intense pressure to shore up its network following the breach. It is facing 80 civil lawsuits and inquiries from regulators including state attorneys general, the Federal Trade Commission and the U.S. Securities and Exchange Commission, according to its March 14 annual report.

Starting next year, Target will upgrade its debit cards, called REDcards, which account for around 20 percent of Target's sales, to chip and pin.

The cards include a credit card and a debit card that Target issues and can only be used at its stores. The upgrade also applies to a credit card co-branded with MasterCard that can be used anywhere, Snyder said.

Target is also rolling out new software and payment terminals compatible with chip and pin to its 1,797 U.S. stores by next September.

So far, cybercriminals haven't been able to steal sensitive data from the microchip of chip-and-pin cards, although some computer security researchers have found ways to attack the system.

Visa and MasterCard have long championed chip and pin as a replacement for magnetic stripe cards. Data can be easily copied from the magnetic stripe with off-the-shelf equipment.

Chip-and-pin cards still have a security hole, however: most still have the magnetic stripe, since they wouldn't work at most U.S. stores today without it. That could change as the U.S. moves toward full chip-and-pin compliance, but the transition could take years.

Target hasn't said if it will dispense with the magnetic stripe for the two cards that can only be used at its stores, Snyder said. But Litan said that would make sense.

"Target could remove those mag stripes from those cards since because they have a 'closed ecosystem,'" Litan said, meaning the cards are only used at its own stores.

The retailer said it is also enhancing monitor and logging across its network. In March, Target admitted its security dismissed early signs of the data breach that showed up in its logs.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags TargetintrusionsecurityIdentity fraud / theftmalwarefraud

More about Federal Trade CommissionGartnerMastercardSecurities and Exchange CommissionVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts