MADISON, Wis. (1/2/14)--While credit unions and other financial institutions reissue millions of debit and credit cards compromised by the Target data breach last month, security and payments industry experts are debating the implications of the breach on payment systems.
The debate centers around two issues: Will debit cards suffer from a drop in consumer confidence as a result of the breach? And would having the EuroPay MasterCard Visa (EMV) chip-standard technology in place have helped protect consumers data?
Several sources say the security breach, which compromised 40 million debit and credit cards and included stolen encrypted PIN data, will impact how consumers pay with plastic. Some are even predicting the demise of the debit card.
The breach has shaken consumers' confidence in using debit cards at physical retail stores, said Karen Webster, CEO of Market Platform Dynamics, in an analysis on Pyments.com (Dec. 30). "Consumers understand that they are protected from financial ruin if the bad guys get hold of their credit card account number. The picture is a bit muddier when it comes to debit," she wrote. "Federal law doesn't provide much protection. Visa and MasterCard require issuers to have zero liability rules for consumers with signature for signature transactions. But protections for PIN debit are much more varied."
Consumers already are more nervous about using debit cards, because the cards link directly to their checking accounts. "So the recent news about the Target breach also included PIN information might just be the finishing blow to the already shaky consumer confidence in debit cards as a secure method of payment anywhere," Webster said.
Consumers already say they won't use their debit cards again for purchases because of the breach, wrote Mark Calvey, a columnist for the Washington Business Journal Online (Dec. 30). "In my opinion, the Target breach is going to focus renewed attention on debit card security," he wrote. However, he noted the push in the financial industry to replace magnetic stripe technology "with more secure, but costly, digital chips." In that case, he wrote, the breach would not be the end of debit cards but would be the end "of the debit card as we know it."
Opinions are mixed on whether having EMV chip-based technology, instead of the less secure magnetic stripe technology on cards, would have helped protect data in the Target breach. Major credit card companies are pushing merchants and financial institutions to switch to EMV by October 2015, and will make them liable for any fraudulent charges if they haven't converted by that date.
EMV has been slower to be adopted in the U.S. than in other nations. According to Tammy Fleiger, vice president of operations at Spokane (Wash.) Teachers CU, it is a "chicken and egg thing." It doesn't make sense to upgrade the credit union's cards until merchants can accept the technology, "and merchants don't want to upgrade their terminals until they have the card," she said in Northwest News Network (Dec. 27). The credit union plans to issue chip cards this year.
Some analysts say that even EMV would not have prevented Target's situation because EMV does not encrypt card data transmitted between the card swipe at the terminal and the acquirer of the transaction. Market Platforms Dynamic's Webster in her column said EMV "does nothing to prevent the risk that card information can be intercepted in the merchant environment. Underwriters Laboratory security experts that said when a merchant terminal and/or point-of-sale system is hacked, an EMV chip still would have provided enough information to be used by criminals online. She noted that in countries using EMV technology, fraud is down at stores, but online fraud has increased.
Webster and others have indicated a layered approach to data security, involving both tokenization and encryption, should be at the forefront in future discussion about fraud solutions.
One group that will help provide structure for EMV changes in the U.S., is the Debit Network Alliance of 10 U.S. PIN debit networks, including CO-OP Financial Services. Formed last month, it will provide structure for the governance, deployment and implementation of the EMV debit standard to facilitate adoption of the standard in the U.S. (News Now Dec. 12).
In the Target breach aftermath, credit unions whose members' accounts were compromised are being urged by the Credit Union National Association to collect data about the costs they incur in replacing cards and assisting members. CUNA will have a website up soon to assist in the efforts to track the costs imposed by the breach.
Meanwhile, credit unions continued this week replacing debit and credit cards for members whose information was stolen. The Northeast Florida Chapter of the League of Southeastern Credit Unions said Monday that local credit unions were issuing replacement cards to roughly 58,000 members. They are bearing the full cost of issuing new cards and new card numbers (Jacksonville Business Journal Online (Dec. 30).
Belvoir FCU in Woodbridge, Va., is among the latest credit unions to alert members of the breach, and American Southwest CU, Sierra Vista, Ariz., said it will replace 877 Visa debit cards compromised at no cost to members, even though no fraudulent activity has shown up on its cards. Taking proactive steps will diminish future fraud on the cards, the credit union said.