Target's MasterCard Move Sends a Security Signal in EMV Adoption

Target Corp.'s choice to work with MasterCard Inc. for chip-and-PIN credit and debit cards next year makes a strong statement about payment security.

"Target chose PIN to provide the highest level of security available," MasterCard spokesman Jim Issokson states in an e-mail. "MasterCard has been vocal and steadfast on the importance of moving to EMV.  Our roadmap provides merchants and issuers with choices on how to implement EMV based on their individual needs."

Both Visa, the network for Target's current magstripe cards, and MasterCard allow issuers to choose chip-and-PIN or chip-and-signature authentication for EMV cards. But MasterCard has been more outspoken about PIN security, while Visa has talked up signature authentication for its ease of deployment.

"I don't see this as a big loss for Visa," since Target will still accept Visa cards from shoppers, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group. "Target has not been particularly close to Visa in the last few years," and as part of its switch to MasterCard, it is "picking a technology that will work across all of its cards," she says.

Visa did not respond to inquiries from PaymentsSource by deadline.

The Target deal is the second major retailer win for MasterCard in recent weeks. MasterCard announced a deal with Wal-Mart Stores Inc. on April 4 to handle the retailer's store-branded credit card transactions. The move, which did not specifically involve EMV cards, ended Walmart's nine-year relationship with Discover Financial Services.

Target's announcement today regarding the issuing of its REDcards with MasterCard technology and processing on MasterCard's network follows the retailer's pledge to forge ahead with EMV adoption at least six months prior to the card brands' liability shift deadline of October 2015. 

Prior to testifying at a Senate Judiciary Committee meeting on Feb. 4, Target chief financial officer John Mulligan said Target would support the use of PIN, or personal identification number, to authenticate EMV transactions even though many U.S. issuers planned to take a "signature-only" approach.

PIN security is still a prickly topic, since consumers might stop using retailers' cards if they forget the PIN, Conroy says.

"One of the key reasons banks are choosing chip-and-signature is the fact that the risk of going to back of wallet due to forgotten PINs outweighs the amount of money that could be saved by tackling lost or stolen fraud," Conroy says.

Target's decision to go with MasterCard and chip-and-PIN is not surprising, considering Target's incentive to deliver the "highest appearance of security, given the PR problems their breach created," Conroy adds.

Security experts generally agree that EMV technology would not have prevented the Target data breach, which reportedly occurred when hackers compromised credentials used for access to the retailer's heating and air-conditioning system and made their way to payment data once inside.

However, the use of EMV smart cards would limit the value of the data that a hacker can access once inside of a payments network, since EMV chips deter counterfeiting.

Target also named Bob DeRodes as new chief information officer. The previous CIO, Beth Jacob, resigned on March 5 in the aftermath of the holiday-season data breach. DeRodes will take his position on May 5 as an executive vice president in addition to his CIO role.

In announcing the change, Target says DeRodes will oversee Target's technology team and be responsible for the "ongoing data security enhancement efforts" in addition to the retailer's long-term information technology and digital plans.