Target’s move to chip and pin seeks to assure consumers

Target is upgrading the security of its store-branded payment cards and making other network improvements as it seeks to restore confidence after one of the largest-ever data breaches last year.

The retailer will upgrade three types of payment card it uses to support chip-and-pin technology, where a microchip on the card holds customer data to improve security. It will also update its payment terminals to accept chip and pin, at a total cost of $100 million.

Visa and Mastercard have set a deadline for U.S. retailers to be able to accept chip-and-pin cards by October 2015. If the deadline isn’t met, the liability for fraudulent purchases made with chip cards resides with retailers.

Target spokeswoman Molly Snyder said Tuesday the company already had plans to accommodate chip-and-pin cards, widely used in Europe and elsewhere, but has accelerated its technology upgrade by about six months.

Avivah Litan, a vice president at Gartner with expertise in payments, said chip-and-pin cards would in theory have prevented Target’s data breach in which it lost 40 million payment card records via malicious software on its network.

She said Target’s move is more than symbolic even though the retailer was already moving to chip-and-pin. It gives customers a more secure way to pay using Target’s branded cards, she said.

“It’s good for consumers, and in the end, probably going to be good for Target,” Litan said.

Target has been under intense pressure to shore up its network following the breach. It is facing 80 civil lawsuits and inquiries from regulators including state attorneys general, the Federal Trade Commission and the U.S. Securities and Exchange Commission, according to its March 14 annual report.

Starting next year, Target will upgrade its debit cards, called REDcards, which account for around 20 percent of Target’s sales, to chip and pin.

The cards include a credit card and a debit card that Target issues and can only be used at its stores. The upgrade also applies to a credit card co-branded with MasterCard that can be used anywhere, Snyder said.

Target is also rolling out new software and payment terminals compatible with chip and pin to its 1,797 U.S. stores by next September.

So far, cybercriminals haven’t been able to steal sensitive data from the microchip of chip-and-pin cards, although some computer security researchers have found ways to attack the system.

Visa and MasterCard have long championed chip and pin as a replacement for magnetic stripe cards. Data can be easily copied from the magnetic stripe with off-the-shelf equipment.

Chip-and-pin cards still have a security hole, however: most still have the magnetic stripe, since they wouldn’t work at most U.S. stores today without it. That could change as the U.S. moves toward full chip-and-pin compliance, but the transition could take years.

Target hasn’t said if it will dispense with the magnetic stripe for the two cards that can only be used at its stores, Snyder said. But Litan said that would make sense.

“Target could remove those mag stripes from those cards since because they have a ‘closed ecosystem,'” Litan said, meaning the cards are only used at its own stores.

The retailer said it is also enhancing monitor and logging across its network. In March, Target admitted its security dismissed early signs of the data breach that showed up in its logs.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk