Target data breach could stimulate migration to chip-based cards

US retailer Target said yesterday (19 December) that it is working closely with law enforcement and financial institutions, after a data breach put the credit and debit card details of approximately 40 million customers at risk.

Unauthorised access to payment card data occurred which could have impacted shoppers at its US stores between 27 November and 15 December 2013, coinciding with the busy Black Friday weekend, which is traditionally one of the busiest shopping periods of the year.

Target alerted authorities and financial institutions immediately after it was made aware of the unauthorised access, and says it has identified and resolved the issue. The retailer is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident to learn how cards were skimmed in-store.

Mark McMurtrie, director of UK-based Payments Consultancy, said that the case highlights why retailers need to invest in the strongest levels of data security protection available, and proves that merchants of all shapes and sizes cannot feel safe from data attacks and fraud.

"Retailers are quick to complain about the costs of PCI compliance and too often see it as a one time IT project, rather than ongoing organisational journey," he told Essential Retail.

"New card security initiatives have been developed for a reason and that is to stop card details being stolen and then subsequently used."

This particular high profile case could prompt the US payments industry to take drastic action over the way it operates, McMurtrie added, and could be a stimulus to all stakeholders to commit to the migration to chip-based cards.

"Chip cards are inherently more secure than mag stripe and when combined with PIN verification restrict the ability for criminals to so easily use stolen card numbers to commit fraud," the cards specialist noted.

Paula Rosenblum, managing partner at RSR Research, used her Forbes column to argue that the attack on Target "may well have been one of the most sophisticated and coordinated ever".

The retail expert also suggested, however, that Target is unlikely to see any loss of business from the data breach, while she added that she is confident action will be taken quickly by the card processors to ensure any consumer losses will be prevented.

Rosenblum explained in the article: "The truly interesting questions are who planted the skimming devices in the card readers? Was it employees? Store cleaners? Were they planted by a large group of organised criminals over a short period of time, or did a smaller group take months of time preparing for the big weekend?"

Target is left to investigate how its customers' card data was breached, but it was quick to issue a public statement to explain its actions and reassure its customers.

Gregg Steinhafel, chairman, president and CEO of Target, commented: "Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence.

"We regret any inconvenience this may cause. We take this matter very seriously and are working with law enforcement to bring those responsible to justice."