Target, the US retail giant, suffered a major data breach in the run-up to the festive season with 40m card details said to be at risk. This is the largest data breach since TK Maxx was hacked in 2007 at a cost of $256m in fines, legal settlements and IT upgrades.
Target has given a textbook example of crisis communications. It has been clear and open with its customers. There is a comprehensive and regularly updated website with much detail, even including lists of each state’s law enforcement policies. Target is also paying for its customers to have a free credit check.
Payment card theft is still huge business. In a remarkably candid blog, security expert Brian Krebs showed how the card details stolen from Target were on open sale for $20 – $100 each, with foreign cards particularly in demand.
US retailers will now be even keener on mobile wallets. Relations between US retail and the card schemes remain frosty despite the apparent ending of the “swipe wars.” Rather than invest in estate-wide point of sale upgrades to Chip & PIN or EMV as it’s more correctly known, many US retailers are looking to mobile payment concepts, such as the Wal-Mart inspired MCX wallet to leap a generation and make plastic cards redundant.
Direct Implications to the UK are limited. Target’s data breach was caused by malware on the point of sale systems that was intercepting the card details from the magnetic stripe. The incident is big news in the US but the rest of the world uses EMV which is much harder both to hack and clone.
UK retailers still need to check the security on their till and payment systems. Fraudsters are getting cleverer and, given the awful financial and reputational implications of a data breach, it’s a false economy not to invest in the latest and most secure payment services.
You are only as strong as your suppliers. Target hasn’t revealed what involvement, if any, its technology partners may have but retailers should always undertake due diligence regarding their suppliers accordance with Payment Card Industry (PCI) standards. Remediation should be available in case of non-compliance.
This was underlined before Christmas by the data breach at Loyalty Builder, an Irish supplier of white label loyalty programmes to Supervalu and Clearlys and others. 376.000 customer records were stolen including CVV codes. These are the three numbers on the back of the card and should never be stored. The Irish data commissioner was swiftly involved and Affinion (LoyaltyBuilder’s US owner) has already agreed a settlement of €22m – equivalent to 5 times Loyalty Builder’s annual profits.