Retailers plodding toward accepting higher-security payment cards

Target is speeding up support for chip-and-PIN payment cards to restore consumer confidence shaken by last year's massive data breach. But many other retailers feel less of an urgency to adopt the more secure technology.

Target plans to complete the needed technology upgrade at payment terminals in its 1,797 U.S. stores by next September, which is about six months ahead of schedule, a spokeswoman for the retailer told IDG News. The total cost of the upgrade is $100 million.

During last year's holiday shopping season, hackers broke into Target's point-of-sale terminals and stole 40 million payment card records. The breach has spawned 80 lawsuits and cost the retailer $61 million in remediation costs in the fourth quarter of 2013.

Chip-and-PIN cards, which are widely used in Europe and elsewhere, use a microchip to store customer data, eliminating the less secure magnetic stripe found on most U.S. payment cards today.

Visa and Mastercard have set an October 2015 deadline for retailers to accept the new cards. Those that do not will be liable for fraudulent purchases made with the older cards.

As ominous as that sounds, many retailers are not hurrying to make the transition to the expensive technology required to accept the more secure cards. Experts estimate that the transition would cost the industry $30 billion.

"Retailers who I speak to are mainly planning to upgrade their terminals (to accept chip-and-PINn cards) as part of their normal upgrade cycles," Avivah Litan, analyst for Gartner said. "I don't see any of them rushing just to meet this liability shift deadline."

The National Retail Federation declined comment on the credit-card companies' timetable, but said it supported the move to more secure cards in general.

"If we're going to transition to a more secure system, then we should transition to a chip-and-PIN-based system," Stephen Schatz, spokesman for the trade association, said.

That move for many retailers won't be completed by October 2015, said Randy Vanderhoof, executive director of the EMV Migration Forum, an independent, cross-industry group created to address issues related to the move to chip-and-PIN cards, which are also called smartcards.

"We're going to be going through a transition phase that had begun two years ago and still has probably two or four more years to go," Vanderhoof said.

By then, most consumers will have smartcards and the majority of retailers will have the technology in place to support them, he said.

Chip-and-PIN cards can improve security by requiring a PIN, or personal identification number, when making a purchase. However, most of the cards are configured to only require a PIN when making a debit transaction.

The biggest benefit of the cards is the chip, which prevents cybercriminals who have stolen credit card numbers from using them to make counterfeit cards.

Retailers face severe damages from a major data breach. A third of consumers whose personal data has been compromised avoid doing business with the retailer after a breach, a study released this week by Javelin Strategy & Research, found.

"Retail is highly commoditized," Al Pascual, analyst for Javelin Strategy, said. "If Target doesn't work out for me, than I can go across the street to any Wal-Mart."

Wal-Mart has been pushing Visa and Mastercard to move faster in requiring chip-and-PIN cards, Avivah said.

"They want to standardize their equipment across the globe for economic reasons and the U.S. is one of the only countries that hasn't yet moved to chip-card acceptance," she said.

Join the CSO newsletter!

Error: Please check your email address.

Tags fraud prevention controlscredit card securityCredit card fraudRetailer breachesindustry verticalsmalwarecybercrimefraud preventionTargetretailsecurityvisalegal

More about GartnerIDGJavelinMastercardVisaWal-Mart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts