Why Target's CEO Changed His Mind About EMV

It's been roughly a decade since Target executives ended their attempts to convert to EMV-chip payment cards to improve security. After a massive breach of magnetic-stripe card data, it seems they have changed their minds yet again.

From 2001 to 2004, Target worked with Visa to push for smart-card use in its stores.

The momentum halted because of factors that continue to plague EMV to this day — concerns about cost, speed and the learning curve for clerks and consumers.

In the wake of disclosing a breach of 40 million card accounts and 70 million customer contact records, Target CEO Gregg Steinhafel has urged retailers and banks to deploy EMV chip-based cards to thwart data breaches at the point of sale.

"In the United States, we're using mag-stripe technology, and that's old technology, and there is a better way and it's called EMV technology," Steinhafel said in a recent interview with CNBC. "We think it's time for America to make that commitment to get to that standard … we want to lead in that conversation."

Ten years ago, Steinhafel was one of the EMV program's skeptics, according to The Wall Street Journal. In the intervening years, has so much changed that the secure card technology has won over its critics?

This time around, the big difference is that Target is not alone. Visa, MasterCard, American Express and Discover have all set timelines for most merchants to accept EMV cards by October 2015 (fuel merchants have an extra two years). It's now possible for a U.S. resident to get an EMV-chip card, commonly called chip-and-PIN in other countries, from a major bank.

But the emphasis on EMV as a cure for card fraud is a bit of misdirection, some experts say.

"Even with EMV, they still would have suffered this breach because they have no tokenization in place and card not present is still fair game [with stolen data]," says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.

EMV protects the counterfeiting of physical cards but does not protect card-not-present channels, such as websites, she says. Tokenization, a process of protecting card account data by swapping it with a limited-use "token" when the card is swiped, wouldn't have required EMV to be in place, she says.

"It feels kind of like a magician's trick to me, as in look over here, not over there," Conroy says of Target emphasizing EMV support at this time. "Tokenization is much more lightweight than end-to-end encryption, and Target could have adopted that years ago."

Target did not respond to inquiries prior to deadline.

The EMV-chip card is not really pertinent to how the Target breach occurred, Conroy says. The attacker's malware would have penetrated the Target payment system regardless of what type of cards the consumers were using, she adds.

Still, the fact remains that Target was a victim in this case and it is not hypocritical for the company CEO to sing the praises of tighter security through EMV at this time, says Avivah Litan, a vice president at Stamford, Conn.-based Gartner Inc.

"Walmart has been asking for the same thing with EMV for years now," Litan says. "But it's not up to the retailers only to do this."

The entire payments ecosystem has to come together to meaningfully improve security through EMV and other technologies, Litan adds.

Target was before its time in seeking smartcard technology in 2001, Litan says. But its options were limited.

Security vendors apparently had nothing on the market that could spot the so-called Black POS malware that reports have indicated a Russian teen developed to attack the Target system, Litan says. "How can we expect Target to see it?" she adds.

The use of EMV chip cards would have helped Target from the standpoint of making it difficult for fraudsters to make duplicate cards, Litan says.

In addition, Target last week announced a $5 million investment in a new cybersecurity coalition to help educate consumers and organizations about digital crimes and how to protect payment and personal data.

In a parallel to Target's vocal support of EMV technology at this time, Heartland Payment Systems Inc. became an advocate of end-to-end encryption in the months following the 2008 data breach at the payment processor.

Target is not in a similar position, however, as it is not a vendor of security technology.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER