Is the Target Breach the Chernobyl of Payments?

by Allen Weinberg on February 27, 2014

in Allen Weinberg, Card Fraud, Card Payments, Chip Cards, Point of Sale (POS), Security

Post image for Is the Target Breach the Chernobyl of Payments?

Chernobyl is certainly at the top of the list of man-made disasters.  In light of recent events, I’ve been thinking that the Target breach has become the Chernobyl of the payments world.

As a group, we Americans never thought that much about payment security – we really didn’t have to.  We are protected by federal laws limiting our liability for lost/stolen cards, while at the same time, the card networks’ rules give us even better “zero liability” protection, and have educated us about that protection with hundreds of millions of dollars (if not billions) of TV ads over the years. 

Joe Shmoe Merchant from Whoknowswhere, Illinois wants your MasterCard account number for an ecommerce purchase?  No problem, you’re protected.  Give my card to a hot dog vendor on the street who swipes it though (or even keys it into) his smartphone?  No problem – mustard and relish please, and hurry up with my hot dog.  Put my Visa credit card on file with an airline that can’t even run its planes on schedule?  Sure, why not, it’s quite convenient.

Look at all the card issuers that have, over the years, tried to differentiate themselves based on security – Bank of America, Citi, and others have all tried it on and off, without much visible success in moving market share.

But after the Target breach, my sense is that things are changing.  I’m wondering if we, who unlike Europeans and others, can’t be bothered to use Verified by Visa and MasterCard SecureCode because “we’re protected anyway”, may be taking a different view of who we give our payment credentials to after “Payments Chernobyl” and what steps we’ll be willing to take to protect our accounts.

I say this because the Target breach is different than all the others – huge numbers of people affected coupled with unprecedented news coverage and congressional hearings.  We just didn’t’ see that with the TJ Maxx, Heartland, Global Payments, Hannaford Brothers, Michaels (twice), Marriott, and other breaches.

Collectively, these breaches have now affected virtually every cardholder in the U.S.  We are largely driven by convenience, and let me tell you, it sure isn’t convenient to have to log in or call all the places that store our card numbers for recurring payments. 

Sure, it’s no big deal getting a notice from my wireless carrier, cable company, and favorite eRetailer when the auth request fails, but what about all the other places we forget about?   My son was thrown off a San Francisco bus when my card of file was declined and his monthly contactless bus pass didn’t renew (and yes, to my fellow payment geeks, I haven’t forgotten about the networks’ account updater services, but we all know they are far from a panacea).

So I’ve been thinking a lot about whether U.S. consumers will alter their payments behavior after Payments Chernobyl, and if so, how.

Anecdotally, I’ve been hearing about people now preferring signature versus PIN debit, and of other people who are switching from signature debit to PINs.  I’ve spoken to people who are not worried too much about leaving a credit card on file (“hey, it’s the bank’s money anyway”) but are now quite reticent to put a debit card on file (“sure, I’ll get the money back, but my rent check will be bouncing in the meantime”).  And how about those people who have a Target or another merchant’s decoupled debit card – you know, the ones that have your checking account number on file so that they can route the purchase thought the ACH?  I suspect a number of those folks are watching their checking accounts pretty closely now.

So I’m reaching out to everyone, asking you to let me know what you’re thinking, seeing in your own data, and hearing.  Have you changed your payments behavior after Payments Chernobyl?  Changing your use of PIN vs. signature debit?  Using credit vs. debit more?  Rethinking whom you say its OK to keep your account number on file for faster checkout or recurring payments?  Will your “chip and PIN” or “chip and signature” card be top of your wallet when EMV comes to market? Or even, and I hate to say this, using cash more?

I’d love hear from you – please track me down at Allen@Glenbrook.com!

{ 8 comments… read them below or add one }

Colin Kerr February 27, 2014 at 10:41 am

A compelling article. 20 years ago I moved to the US from the UK. I was stunned then that store checkout clerks rarely validated the authenticity/signature of the cardholder, and that people lend credit/debits cards to family members to go shopping. I just had my debit card renewal arrive, the signature strip was worn off 2 years ago and perhaps 5 stores/restaurants asked me to show ID. If that’s still the attitude to physical cardholder authentication, perhaps ‘Payments Chernobyl” (hopefully not something worse) really is the force to enact technical security and more effective solutions.

Reply

Jason February 27, 2014 at 12:36 pm

Prediction: consumer behavior change will be minimal, possibly negligible.

A couple of data points – Target’s top-line sales impact was small. First Data’s Spendtrend data was relatively stable despite a miserable January for retail due to weather.

2 theories. 1) People don’t think about payments when shopping – it’s a passive behavior. Their mind is on shopping (while juggling a smartphone and possibly a kid or two). 2) Debit is not a choice for most debit users. Many don’t have the credit and/or they have a deep and emotional fear of credit card debt. Those using credit cards with rich rewards that are paid off every month are a relatively small minority of the USA. — Jason

Reply

Allen Weinberg February 27, 2014 at 12:55 pm

Hi Jason — just read this today re: the impact of the breach on Targets earnings (link below to WSJ article) — “Target Earnings Slide 46% After Data Breach”. Customers appear to be noticing and have been staying away from Target, but perhaps not from shopping with plastic as you point out citing Spendtend data. Now whether they have short memories or not with Target is another story.

http://tinyurl.com/loo8odq

Thanks!

Reply

Jason March 3, 2014 at 2:59 pm

http://investors.target.com/phoenix.zhtml?c=65828&p=irol-newsArticle&ID=1848914&highlight

“Target’s U.S. comparable sales decreased (2.5)% in the fourth quarter” – They were likely headed toward low single digit comps. So a 5% to 10% immediate impact is significant but it suggests that 90% of customers immediately shrugged their shoulders. I expect most of the rest to forget about it soon. If consumers were as plugged in as you and I you would expect sales to fall off a cliff completely.

Proof will be in the Target comp sales numbers over the next few quarters.

FDC data doesn’t suggest a shift toward cash.

Great blog post. I do agree that the Target breach is an important moment in payments.

Reply

Williamson February 28, 2014 at 7:44 am

Interesting take on this situation, data security is crucial to retain customer confidence especially in the retail industry. Banks and payment processing companies will have to collectively take responsibility for incidents such as this and take adequate measures to ensure they have a secure and protected payments system. I work for McGladrey and there’s a newsletter on our website with great information for banks on optimizing existing technology and other valuable insight into improving overall performance.

Reply

David Snyder February 28, 2014 at 11:09 am

Personally, I’ve cut back on using my debit cards at stores. It just seems prudent to minimize the exposure of my checking accounts. As for public perception of the Target incident, I expect it to recede into the background fairly quickly. A few people will stay away from Target for a while, but most will find that convenience and price will drive their behavior more than concern over something that is unlikely to have much effect on them.

As for merchants, I expect some of them to increase their vigilance, but many will only give lip-service to the topic. The problem is that it takes money and effort to tighten security beyond the basics and the ROI for such stepped-up efforts is nebulous, at best. Such stepped-up efforts involve operational and cultural changes more than just installing supposedly better hardware and software. Companies can’t just authorize a line item to “buy something to make us more secure.” They need to work on how they conduct their business to first detect vulnerabilities that crop up, and second to ensure security consciousness is built into the way things are developed and implemented.

There’s an interesting article in the February 24, 2014 Business Week about “Why Negativity Is Really Awesome.” The article points out how often warnings about vulnerabilities are ignored within organizations. (O-rings on the Challenger being the oft-cited example.) Despite evidence that organizations probably need to up their game to catch and plug vulnerabilities, I think most decision-makers would prefer to minimize the risk and instead think about ways to increase revenue rather than what they ought to be doing to reduce the arguably low probability of being hacked. (Yes, I know the impact of being hacked can be costly, but people are notoriously irrational about risk perception and this would appear to be a case where the decision-makers will often choose to ignore a potentially large harm that *might* happen in some vague future timeframe in favor of more immediate concerns about meeting short-term goals for profitability.)

Reply

Allen Weinberg February 28, 2014 at 11:18 am

Thanks David. I really love your comment that “Companies can’t just authorize a line item to “buy something to make us more secure.” They need to work on how they conduct their business to first detect vulnerabilities that crop up, and second to ensure security consciousness is built into the way things are developed and implemented.”

Reply

Ben Katz March 8, 2014 at 8:10 pm

Since Target’s biggest sin here was relating to insecure servers, and since I know of no technology that replaces common sense, I don’t believe payment security is ever realistic.

I do wish EMV weren’t the proposed way to solve this.
1)It doesnt appear to protect us when shopping online (VbyV or MCsecurecode should be required for online, as you suggest).

2)It seems so 1980s solution. Do you see any ways to use “last known location of cell phone on my person” and mapping that to signature transactions as a fraud screen? Why cant we find a software solution to this? Why does it require a chip on a piece of plastic?

3)what is the actual cost of EMV? I’m curious. My sense is there are several dimes of patents inside each one, and then a very small bit of technology that could likely be produced for less than $0.10 if it werent for said patents. Is that accurate?

Reply

Leave a Comment

Previous post:

Next post:

Clicky Web Analytics