Three months after coming to light, the massive exposure of 40 million card accounts at Target Corp. still has the payments industry and consumers talking about what should be done to prevent this happening again. In the United States, that is.
Across the Atlantic, where banks and payments companies have watched the data-loss drama unfold from afar, industry insiders say that there's a sense that the same kind of attack is less likely to happen here.
"We've not seen anything specific to the Target breach," says Kieran Hines, content director for Datamonitor International in London. "Issues like mass compromises cause a lot of issues for fraud prevention teams, and the impact of the Target [breach] is big in the States. But from the perspective here, there's not a lot of effect."
European payments players and retailers may have a right to feel more than a little smug about their sense of security. According to a recent Datamonitor survey of 27,000 consumers in 21 countries, U.S. consumers are almost twice as likely as their European counterparts to have been the victim of payments fraud in the past three years (11.3 percent in Europe versus 21.9 percent in the U.S.).
Target itself has sped up its plans to convert to EMV-chip cards, which improve security over magnetic stripe cards, in the U.S. And prior to the breach, Visa, MasterCard, American Express and Discover were already in the process of converting most or all of their U.S. cards to chip by October 2015, after which time fraud liability will shift to any retailers who did not migrate their technology.
But in Europe, so far there haven't been any shifts in security strategy that are attributable to the Target breach, or even a shift from the current security strategies attributable to other causes, says Gilles Ubaghs, senior analyst for financial services technology for Ovum, a London-based research firm.
"In many ways European attitudes to security have become quite relaxed following the initial success of EMV," says Ubaghs. "On many major metrics, particularly for cloned cards, the value of fraud has fallen off a cliff. For many payment providers this has really taken their focus off of fraud as they perceive it as an issue that has in large part been dealt with."
There's the wider perception seems to be that fraud in Europe is "quite manageable" and anecdotally, attendance at fraud conferences seems to be "dropping year by year," he says. With fraud in decline and so many other investment demands in a bank, Ubaghs adds, "there's not much willingness to invest further resources into something that's already heading in the right direction."
The United States is so far behind other countries in its shift to EMV that, prior to the card networks setting a timeline for EMV migration, some experts predicted the U.S. adoption of EMV would fare about as well as its adoption of the metric system.
Fraudsters have taken notice, and typically see the U.S. as an easier target because of its widespread use of magnetic-stripe cards, says Michelle Evans, senior analyst of consumer finance for Euromonitor International.
"Criminals notoriously target the weakest part of the payments system, which today is the United States," according to Evans.
However, just because EMV may be safer than the older mag stripe cards, "it is certainly not fool proof an embedded chip in the card just makes the fraud more difficult and expensive for criminals to execute," she says. "However, cyber crooks are never going to stop pursuing the weakest links in the payments chain to steal data and one day soon that weak link will be the EMV system."
As the U.S. shifts in the coming years to the type of EMV payment system that exists in nearly every other part of the world, "that will effectively raise the bar in terms of what other markets, such as Europe, will have to do to protect its payment system It will close the gap between it and other countries in terms of its level of card payment security," Evans says.
Ubaghs points out that other forms of fraud particularly card-not-present fraud may already be on the rise in Europe. That fact, combined with "high-impact events" like the U.S. Target breach, may ultimately have repercussions, he says.
"This is the most visible loss in monetary value from one of these events," he says. "This may refocus European attitudes to tightening up their own security. Measurements of cost of fraud need to move beyond just the initial loss from the fraud itself into the reputational damage these issues can have."
While "no major shifts in strategy seem apparent," Ubaghs says he would expect to see a more focused approach to security reemerging, and "essentially a double checking of the locks and keys on their existing payment infrastructure."
Hines notes that the Target breach itself had less to do with EMV than the increasingly common e-commerce fraud. Therefore, he says, if the Target attack does have a ripple effect in Europe, it will be in driving the payments industry to improve on their authentication of online customers and protection of information here.
"That's very much where the industry is moving," Hines says, "trying to figure out, without the customer knowing, that you're effectively profiling each transaction."
While the Target breach may not signal quite the same clarion call outside the United States, Evans agrees that European payment providers will have to continuously implement new layers of security to protect cardholder data, including measures such as tokenization to obscure the data, real-time fraud alert programs to provide earlier detection and stronger systems that ensure that vendor's access to systems does not compromise the security of important customer data.
"Ultimately, victory over fraud is about staying one step ahead of the cyber crooks," says Evans, "but as the United States moves towards EMV that will change the payment landscape and make every other EMV market an equal target for fraud."
