The recent avalanche of breaches that resulted in tens of millions of payment cards being compromised has shook both the US retail market and the customers.
Despite subsequent revelations that Neiman Marcus, Michaels Stores and other retailers have been hit in the same way (with POS memory-scraping malware), the amount of credit card information stolen in the Target breach made it the one that captured the attention of US shoppers the most.
And as some of them lost the confidence in the retailers’ capability to protect their data and have reverted to paying with cash, others are still praising the convenience of payment cards.
But for Target, a retailer well-known for its extensive customer data collection and data mining, the fact that its customers might choose not to leave a trail of their shopping habits is anything but good news.
Add to this the fact that the company is already looking at two class action lawsuits filed against them in the wake of the breach, and that hearings about it have been scheduled with the Senate banking subcommittee, and it’s no wonder that the company has been forced into full-on damage control mode.
John Mulligan, Target’s Chief Financial Officer, has written an opinion piece for The Hill calling for a change: the time has come for US payment card companies and businesses to switch to chip-enabled smartcards.
He’s only partially right. The time for these smartcards was a long time ago, only the cost of a nation-wide introduction was higher than that of the various consequences of this type of breaches.
“At Target, we’ve been working for years towards adoption of this technology. Since the breach, we are accelerating our own $100 million investment to put chip-enabled technology in place,” Mulligan shared, adding that their goal is to implement this technology in their stores and on their proprietary REDcards by early 2015.
Does it really take that long to implement a technology that has been proven to be more secure and has been widely used in the EU, UK and Canada for years now? Apparently it does.
“A reason the United States has been slow to embrace change is that all players in the payments system – merchants, issuers, banks and the networks – have not been able to find common ground on how to share the costs of implementation,” he says. I assume that this was not just a reason, but THE reason.
“About 10 years ago, Target piloted an early generation of the chip-enabled technology on the Target VISA REDcard, with mixed results. Notably, the cards were much more expensive to produce and required the replacement of store card-readers,” Mulligan shared. “Also, the technology at that time would have only been usable in our stores, making for a confusing experience for customers, overall. After three years of going it alone, we discontinued the program.”
He’s right in saying that the change has to happen, and that all the players have to get involved. The question is, has the cost of change become less than the cost (financial, reputational) of a breach for everyone? I doubt it.
InfoWorld’s Paul Venezia has a good idea: dole out big fines for big breaches.
“In every case, the retailers express their sorrow and sympathy, and they promise to not let it happen again. But it will happen again,” he points out. “Target will get some negative publicity for a little while, lose some sales, and go back to business as usual.
“JP Morgan estimates that the Target breach could incur damages of up to $18 billion,” he noted. “If the company had to pay $18 billion in damages, well, that might make a statement.”
He also put forward another alternative: an enforceable opt-out option for customers who don’t want to have their personal, financial and transactional information collected by anyone in the first place.
Unfortunately, I don’t see that happening, in the near OR far future.