In the Chips

The data security breaches at Target and Neiman Marcus have put a white-hot fire under the push for the adoption of microchip-based credit-card technology to replace the traditional (and, many would say, backward) U.S. standard of magnetic strip cards. (The latter store unencrypted customer data on magnetic stripes.) Advocates of the chip cards, which store encrypted customer data on embedded microchips, say their use minimize the risk of data breaches at the POS.

But how exactly do chip-enabled cards work, and how much additional protection do they really offer?

Cards that store customer data in an embedded microchip as opposed to a magnetic stripe follow a standard called Europay, MasterCard and Visa (EMV), which is used by every developed nation except the United States. The POS terminal typically reads the chip via Bluetooth or Wi-Fi connection, significantly reducing the chance of hackers intercepting the data and also making “cloning” cards with phony duplicates all but impossible.

The customer can then have their identity further verified by entering a PIN or a signature. Exactly what type of authentication should be used beyond the microchip, which does not itself prevent the use of a stolen or lost card, is the subject of debate. The National Retail Federation (NRF) and Target Corp. both recently came out in support of what is known as “chip and PIN” authentication.

Going the Extra Mile

“The chip validates that it’s the real card,” said Tom Litchford, VP retail technologies NRF, in a February 2014 press conference. “The PIN provides two levels of validation.” And in a February 2014 column published on the Chain Store Age website, John Mulligan, executive VP and CFO of Target Corp., expressed support for U.S. retailers to adopt chip and PIN. Target ran a three-year pilot of chip-based cards from 2001-2004.

“Since the breach, we are accelerating our own $100 million investment to put chip-enabled technology in place,” said Mulligan. “Our goal: Implement this technology in our stores and on our proprietary REDcards by early 2015, more than six months ahead of our previous plan.”

Cost has been a major factor preventing widespread U.S. adoption of chip-enabled cards. The NRF estimates that switching to either form of chip-based card verification would cost $20 billion to $30 billion in software, hardware and card upgrades during a period of several years. The NRF wants banks, acquirers, card issuers and other payment card partners to share costs associated with chip and PIN migration.

Currently, card issuers are primarily responsible for covering fraudulent losses. However, as of October 2015, fraud occurring at U.S. retailers with chip-enabled cards will be the responsibility of the retailer if they cannot process a chip-based payment, which some analysts think will jump-start adoption. Many major U.S. card providers currently or plan to offer chip-enabled cards.

Not a Panacea

Even experts who support adoption of chip and PIN caution it is not a cure-all to prevent the theft of customer payment data. Paula Rosenblum, managing partner at RSR Research, said that hackers in the recent Target data breach used a “phishing” email to take over a computer at one of Target’s HVAC vendors and from there penetrated Target’s network using phony vendor credentials. This let them install malware and steal customer data while bypassing the POS.

“My own point of view is that no fixed standard can give you 100% security in an ever-changing world,” said Rosenblum. She added that chip and PIN is still highly useful, especially if combined with point-to-point data encryption.