The costs of recent data breaches have been staggering. In Target’s case, 40 million credit and debit card accounts were hacked, and the personal information of 70 million people was stolen. The cost to Target: $17 million in net expenses and a 46% decline in profits in the fourth quarter that ended February 1, 2014. In the case of Neiman Marcus, 1.1 million cards were compromised. The cost to Neiman Marcus: $4.1 million to date.
To appreciate the potential and likely effects of these breaches on you, look at what various stakeholders, including the National Retail Federation, have been saying and doing. Loudly and clearly, they are advocating for the replacement of existing magnetic strips on credit cards with chip-and-PIN technology. After all, it’s what the rest of the world has been doing for years.
Would this new technology have prevented the Target and Neiman Marcus breaches? No. But it would have made it more difficult for thieves to use the stolen data afterwards. This is because chip cards, unlike magnetic strip cards, generate a different encrypted mathematical value every time they are used, making it harder for criminals to clone or counterfeit any stolen data. Plus, the requirement of a PIN at the point of sale provides a second layer of protection against unauthorized use.
So why hasn’t this chip-and-PIN technology been universally adopted here in the US? The primary reason is cost. With system-wide implementation estimated at $15-30 billion, it is no wonder that banks and retailers have historically waited for the other to act first. Retailers don’t want to spend the time and money buying and installing new terminals to read the chips unless the banks are issuing chip cards in significant numbers. And banks don’t want to issue the cards until retailers have terminals that can read the cards. It is a classic chicken-and-egg problem.
But the magnitude and highly publicized costs of recent data breaches may finally be enough to overcome this long-standing obstacle. The major card networks seem to be taking the lead and providing the much-needed incentive for both retailers and banks to act simultaneously. Under the new policies, liability for fraud would be placed on the party that prevents a chip transaction from taking place. For example, if a retailer has a chip reader and the card has only a magnetic strip, the bank would be liable for any resulting point-of-sale fraud. Conversely, if a chip card is presented to a retailer that has no chip reader (and the transaction has to go through using non-chip technology), the retailer would be liable. If this liability shift weren’t enough incentive for retailers, Visa has also promised to waive PCI DSS compliance validation requirements if retailers upgrade their terminals to read chip cards. Visa says these policy changes will take place by October 2015, giving retailers and banks a little under two years to get their affairs in order.
Not surprisingly, Target has been one of the first retailers to announce that it is jumping on board. It has already promised to invest $100 million in chip technology by early 2015. Other retailers would be wise to start doing the same. Otherwise, they could find themselves absorbing most, if not all, of the costs of point-of-sale card fraud in the near future.