Target's $100M EMV Migration Shows Just How Tight the Deadline Is

Following its massive 2013 data breach, Target vowed to accelerate its EMV-chip card migration, but the retailer still just barely made the card networks' deadline.

Target, which had toyed with EMV-chip cards as early as 2001, also pushed for industrywide EMV acceptance in the wake of its 2013 breach, despite many concluding that the anti-counterfeiting technology would not have provided any meaningful difference to the outcome of the hack.

Even today, after spending $100 million on hardware and software upgrades, Target isn't done with its EMV efforts; it is merely finished with its point of sale conversion. It must still reissue its store-branded Red Cards as chip-and-PIN cards, a process it expects to run into next year.

But come Oct. 1, the card networks will shift fraud liability to the party not able to handle EMV payments, and Target's retail stores can say they were ready with a month to spare.

"It was a massive undertaking," said Molly Snyder, a spokesperson for Target. Despite the thin margin between the project's completion and the card networks' deadline, "we were always on track to be ahead of the liability shift following our 2013 breach," Snyder said.

But that's a boast many other retailers won't be able to make. Target's data breach gave it far more incentive to shore up its security than any other retailer had, but it still came in just short of the deadline.

"That's a clear indicator that the migration is just getting started, and is backlogged," said Rick Oglesby, a partner and head of product consulting and market research for Double Diamond Payments Research.

Target works with external vendors for its point of sale and payment security technology, though it did not disclose the names of these partners.

Target's data breach became a touchpoint for everything from arguments over issuer liability to the overall safety of card payments. The retailer has also faced more than a year of legal challenges over responsibility for financial losses stemming from the breach.

Target's completion of its point of sale EMV migration puts it ahead of many merchants, particularly smaller retailers that are expected to miss the October liability shift date, perhaps by a wide margin, hamstrung by resource shortfalls and a lack of options.

"Some merchants are higher-risk than others when it comes to the potential loss from the liability transfer," Oglesby said, adding larger merchants that sell theft-prone merchandise such as electronics and jewelry will need to move first. "However, it's also important to note that EMV prevents counterfeit credit card fraud, which is the domain of the professional fraudster," he said.

Thus, fraud will shift to the merchants that are not yet EMV compliant. "Eventually the fraud migration will force merchants of all types to convert, but that process could take some time," Oglesby said.

There's also a potential bottleneck as retailers rush to meet the October shift date, combined with earlier delays caused by regulatory uncertainty tied to the Durbin amendment's rules covering debit routing. The debit routing issue caused a clear delay in migration, Oglesby said.