Target sure is living up to its name.
The news yesterday that the megastore’s point-of-sale systems had been compromised and as many as 40 million cards exposed to possible fraud came at a bad time for the store and the economy as a whole.
The weeks leading up to Christmas are critical for retailers, and this news surely gave shoppers pause as they contemplated pulling out their plastic for another purchase. It’s a black eye for Target, in particular, and repercussions may be felt for some time to come.
The 40 million cards can be sold on the internet and lie dormant for many months before fraud is attempted. Put simply, it sucks for the customer and his bank.
But it’s worth putting the data breach in historical perspective. “It’s one of the large one, but it’s not the largest by any means,” said Joram Borenstein, vice president of financial crime, risk and compliance firm NICE Actimize. “The TJ Maxx incident [in 2007] affected 47 or 48 million cards, and the Sony PlayStation incident in 2011 exposed as many as 100 million cards.”
The breach got some people talking about EMV (Europay, Mastercard & Visa), the card standard widely used in Europe and due to come to the US for good in 2015 — though many experts are skeptical this date can be met. EMV cards, also known as smart cards or chip and pin cards, dynamically generate payment code each they are used, and so they cannot be reproduced the way magstripe cards can if fraudsters know the card number, expiration date, security code, and PIN code — to all of which, apparently, the Target fraudsters gained access.
“The average consumer does not know what EMV stands for or what the driving factors are behind it,” Borenstein said. “But with the ubiquitous mentions of it in media reports, it may raise awareness of EMV.”
Borenstein described the “war rooms” being set up at large banks to handle the crisis where decision-makers gather to make expeditious decisions as crises of this kind tend to develop quickly. “The playbook is still being written,” he said. “There’s no one way to handle these kinds of incidents.”
Banks first and foremost have to look at their own customers, which is a reasonable and responsible approach, Borenstein said. A month or so later when the dust has settled, the large banks tend to huddle up and share notes for the future. This is similar to the approach taken with regard to the DDoS attacks earlier this year.
A Citibank customer shared online that his bank had preemptively issued him a new card even before the news broke in the media. It is common for law enforcement to let issuing banks know about these incidents ahead of general announcements to the public.
Simple is also proactively replacing the cards of Target shoppers.
A customer service representative at JPMorgan Chase, when approached about the incident, answered that the bank was aware of which cards had been used at Target during the dates in question and was on the alert for fraud attempts on those cards. Customers were not preemptively notified, but the representative said she had been fielding calls “all day” — this was yesterday — from worried cardholders.
Financial institutions face the cost of re-issuing cards, personnel time, and the “war rooms” set up to handle emergencies like this, but they do not seem to face a public relations crisis in the way Target does.
A particular risk item seems to Target’s own REDcards. These cards can either be debit cards, linked to a customer’s debit account, or credit cards, issued by TD Bank. If linked to customers’ debit accounts, would fraud be possible even if a customer’s own bank reissued his card? Part of Target’s PR offensive in 2014 should include reissuing all REDCards used during this time.