The retail industry, reeling from a litany of recent credit card breaches, could finally get a long-awaited injection of data protection technology, creating opportunities for solution providers that specialize in data security, compliance assessments and modern payment terminal deployments.
Target, Home Depot and other large retailers will be among the first to roll out terminals that support chip-and-PIN cards, but the technology alone doesn't provide the data security benefits, say solution providers. Newly manufactured, encrypted payment terminals would provide the greatest benefit in reducing fraud and help ease the barrage of data breaches, said Chris Camejo, director of consulting and professional services at NTT Com Security, Bloomfield, Conn.
"Encryption needs to happen in the terminal hardware and it's a technology that might have prevented many of these recent breaches," Camejo said. "Until now, most merchants look at the price tag of point-to-point encryption and decide not to do it."
The good news, according to solution providers, is that new terminals that support chip-and-PIN, also called EMV (Europay, MasterCard and Visa), are fully encrypted.
Target is spending $148 million on security improvements following its massive credit card breach and said it is on schedule to roll out terminals that support chip-and-PIN and encryption next year. Home Depot, which confirmed a breach this week following an investigation of its payment systems, said it would have the technology fully supported by October 2015.
The credit card brands are holding a carrot to spur adoption, with the key date being October 2015. Merchants that accept Visa transactions will be financially liable for any counterfeit fraud losses if their terminals fail to support a Visa card chip transaction. Merchants that support at least 95 percent of MasterCard chip transactions through an EMV-compliant POS terminal will not be liable for any account data compromise penalties. American Express and Discover have similar fraud liability policies for merchants that use terminals that accept EMV cards.
Advocates of the technology say it could take eight years for the payment industry to fully adopt equipment that supports the chip-enabled credit cards. Resellers, system integrators and consultancies that provide security and PCI compliance services for merchants predict that about 60 percent of merchants will adopt EMV-enabled terminals by October 2015.
The long line of credit card breaches may be what the industry needs to accelerate adoption, said Bob Doyle, a security consultant at Cambridge, Mass.-based security consultancy and solution provider Neohapsis. The cost of ripping out payment hardware has always been a major deterrent, Doyle said. Most merchants are going to fully analyze the costs associated with new security technology against the amount of risk reduction it provides.
"If I'm in charge of security at an organization that has been breached, I would pull out my playbook of potential technology upgrades that I was always going to implement, because this is where budgets are opened up to address security," Doyle said.
NEXT: Too Many Uncertainties Create Reluctant Merchants