By now, you’ve likely heard of the data breach that affected Target late last year. Millions of people had their credit card data stolen due to a breach caused by a third-party vendor working with the Point-of-Sale (POS) system. What happened at a high-level is that an employee of the vendor company was a victim of a phishing attack and when they connected to the POS back-end, the malicious code propagated itself and eventually gave more damaging access to hackers, who were able to eventually abscond with lots of credit card data. The result is that consumers were defrauded, banks had to cancel and reissue cards, and Target was sued over the breach, not only by consumers in a class-action suit, but by the banks that issued the credit cards to those consumers.
Target was subject to PCI compliance, a set of rules governing how merchants and their service providers must interact with sensitive card data. Having guided numerous companies through the PCI compliance waters, I can tell you it is tedious and best, and torturous for those company’s that are woefully unprepared. It can also be quite expensive from the perspective of system and software updates, and audits necessary to complete the process. And the technology that compliance is based on is second-rate for no good reason. Given the visibility of the Target breach, the recent breaches at the grocery store chain that owns Albertson’s, and the mega-breach at Home Depot, everyone is finally sitting up and taking notice.
And it’s about damn time.
The United States is 20 years behind Europe in credit card technology. Recent statistics show that the US is responsible for 25% of global credit card charges, but experiences over 50% of global data breaches and I think a large part of this is because it’s just too easy to steal information with the current setup in the US. And let’s talk a little about what I mean by “setup” — I mean retailers are being set up to fail based on an antiquated credit card system, antiquated legislation, and a view of the world that places the blame almost entirely on the retailer.
Credit card issuers have set October 2015 as the deadline for having EMV, or “chip and pin”, readers in place at retailers. It is expected that many retailers will miss this deadline and that could largely be due to cost. Target for example, with almost 1800 stores in the US, many of those having in excess of 20 checkout lanes each requiring a new EMV reader at a cost of about $1000 each, could see a one time hit of $36 million — probably more — just to put the technology in place. Then come changes to systems necessary to work with EMV.
On the other end of the spectrum is WalMart, who began investing in EMV eight years ago but has only activated EMV in about 15% of its stores. Why? Lack of Industry support. And that ought to tell you something about the industry as a whole.
It’s high time to stop looking solely at the retailer when there is a breach. Yes, there are certainly things retailers should take precautions against. But to have card issuers set deadlines that are two decades behind the times along with an industry than seemed to feign support for better technology seems rather disingenuous. So why the change now? Probably because the liability associated with a breach is finally exceeding the cost of implementing the new technology. Plus, the public is finally furious. While credit card companies historically covered consumers for the most part, this is a fine example of how some of the fraud burden was transferred to retailers and their customers while the industry and the government took their sweet time playing catch up.