Target CFO To Congress: We Will Roll Out Smart Cards By 2015

Robert Westervelt

February 05, 2014, 01:03 PM EST

Target, still reeling from a massive credit card breach that impacted millions of customers, said it would launch chip-enabled smart card technology to help reduce payment fraud and prompt a broader adoption of the technology across the industry.

Target CFO John Mulligan, in testimony before Congress, said the company had a plan to roll out support for the technology but now would accelerate the process, with equipment supporting smart cards by 2015. The technology, branded REDcards, will be launched as part of a $100 million project to get it supported in all of its nearly 1,800 stores, Mulligan said.

"Updating payment card technology and strengthening protections for American consumers is a shared responsibility and requires a collective and coordinated response. On behalf of Target, I am committing that we will be an active part of that solution," Mulligan said in his testimony to senators Tuesday.

[Related: Data Breach Costs: 10 Ways You're Making It Worse ]

Chip and pin credit card technology, designed to reduce the threat of credit and debit card fraud, has been rolled out in Europe and Canada, but security experts say credit card makers, banks and retailers have been slow to adopt smart card technology in the U.S. Solution providers say banks don’t want to incur the expenses involved in reissuing the expensive cards and retailers, in some cases, would have to rip and replace point-of-sale systems at tens of thousands of endpoints. The latest string of high-profile data breaches may fuel adoption of security technologies as merchants race to protect their reputation, solution providers told CRN.

"Customers don't budget for software; they don't necessarily care about the software, they care about the business problem and the issue behind the business problem they are trying to solve," said Alex Moss, managing partner at Chicago-based security consultancy Conventus. "For POS devices, no one wants to be in the news. They want know how much money they’re going to need to spend to stay out of the news and protect their reputation and, in turn, that means protecting their data and their customers’ information."

Target in 2012 became a founding member of the EMV Migration Forum at the Smart Card Alliance, which advocates for the adoption and use of smart card technology. Executives from the Payment Card Industry Security Standards Council Monday testified before separate congressional committees about the industry’s antifraud efforts, including smart card technology. The council, which oversees the Payment Card Industry Data Security Standards, opposes federal legislation to require its adoption, instead calling on the private sector to promote a broader rollout.

Chip-enabled smart cards contain a tiny processor that encrypts the transaction data shared with sales terminals used by merchants. As a result, even if the card number is stolen in a data breach, the thieves cannot counterfeit the card. Some experts, however, say the technology has its limitations. For example, it is only effective at brick-and-mortar stores, not e-commerce websites where cybercriminal threats are greater for consumers.

Troy Leach, the council’s CTO, said moving toward smart card technology is important but it is not a complete solution. Merchants must meet all the security guidelines established in the PCI DSS, he told legislators on the U.S. Senate Subcommittee on National Security and International Trade and Finance Monday.

"High-profile events such as the recent breaches are a legitimate area of inquiry for the Congress, but should not serve as a justification to impose new government regulations, "Leach said in his testimony." Any government standard in this area would likely be significantly less effective in addressing current threats, and less nimble in protecting consumers from future threats, than the constantly evolving PCI standards."

Attackers struck at Target during the holiday shopping season, infiltrating the retailer’s point-of-sale systems with malware called BlackPOS, designed to function in the memory of card readers to steal data. The attackers also used stolen account credentials from a vendor to gain access to the underlying infrastructure to encrypt and upload the data to a remote server. A total of 70 million credit and debit cards were stolen in the attack, and a database containing account information on 40 million customers was exposed in the breach. Other retailers, including Neiman Marcus and Michaels Stores, are investigating similar incidents.

"At Target, we take our responsibilities to our guests very seriously, and this attack has only strengthened our resolve, "Mulligan said in his testimony." We will learn from this incident and, as a result, we hope to make Target and our industry more secure for consumers in the future."

PUBLISHED FEB. 5, 2014