With few details available, it's too soon to draw any specific conclusions from Target's data breach. But the compromise of 40 million credit and debit cards at one of the largest retailers in the U.S. shines a bright light on the difficulties in securing payments.
As we learn more about the full scope and scale of the Target data breach, there will be ongoing, breathless coverage in both social media and news outlets explaining what the event "means" to consumers, merchants, card brands, etc. The attention being paid to the data compromise is both understandable and warranted. Forty million cards were reportedly compromised at the third largest retailer in the U.S. during the height of the holiday shopping season. There are millions of Americans who can look at their Christmas trees right now and point to presents procured from Target during the time when the breach was happening. Those millions of shoppers are asking "Should I be concerned?"
Unfortunately, Target is remaining tight-lipped about the event, only confirming that it happened but staying mum on the specifics. Target is likely being advised by law enforcement and their third-party security provider to say little at this point, but its reticence will only fuel speculation. Thus, until we learn exactly how the breach was perpetrated, it is difficult, and probably unwise, to draw too many specific conclusions from the Target breach. However, there are some general lessons we can draw from this latest data breach:
- As one of the largest retailers in the U.S., Target was spending significant sums of money on protecting consumer data. We can assume that some of that money was spent complying with the PCI data security standard. We can further assume that Target was in full compliance with that standard. (Or at least we can assume they were compliant until they weren't, which was when the breach occurred. That will likely be the argument PCI makes if and when they levy fines against Target for this incident.) And there is a problem with the PCI DSS: it doesn't prevent data breaches. It certainly provides a tool for merchants when assessing their security risks, but it doesn't offer any real protection to those merchants. How many merchants are operating under the assumption that their compliance with the PCI DSS means they don't have to worry about data breaches?
- If Target, with all of its technology resources, can be suffer a data breach, does that mean smaller merchants should be concerned? Absolutely. And what's worse, smaller merchants are already under threat. As my associate Michael Versace noted in a recent blog post (coincidentally timed as the Target breach was ongoing), "Data breaches are becoming an all too common occurrence, and the reality of the problem is much worse than current events and perceptions, because the general population is only aware of publicly disclosed breaches." In other words, the Target story may be just the tip of the iceberg.
What is more worrisome is that security of data may not be a problem that merchants can solve, at least not so long as we continue to rely on current technology. It is interesting that the Target breach happened as discussions about payment security are becoming more intense, driven by the migration in the U.S. to EMV. There will still be contentious discussions on how to make the transition to EMV work in the U.S., and how the technology standard will be implemented at the point of sale. However, one of the big questions around the evolution of payments has been what incentives do both merchants and consumers have in moving away from plastic cards with mag stripes at the point of sale. The Target breach may provide an answer by demonstrating that the current methods are in dire need of a rethinking and replacing.
- If, as suspected, the Target breach occurred through the point of sale terminals somehow, that means another front in the war between data thieves and merchants has opened. That should not be surprising considering POS terminals are simply connected devices and are as susceptible to malware as any other device. But this new front has opened at a time when the POS itself is being reimagined thanks to the proliferation of solutions that build on mobile devices. The POS terminals they are replacing are specifically made to be used as payment acceptance devices. They are being replaced by mobile POS solutions built on smartphones and tablets that rely on devices that were never intended to be used for processing electronic transactions. If a dedicated terminal, one intended to be used for securely processing payments, can be compromised, isn't it likely that smartphones and tablets that are used for multiple other tasks are open to tampering? That is worth remembering as we rush to integrate mobile POS into retail payments.
Now that the Target breach has been discovered and contained, the hard work of figuring out just what happened begins. It will be a tough time for Target as it surveys not only the costs to contain the breach but also the damage done to its reputation and brand. And it will be a time of some discomfort for Target's customers as they monitor their card statements and worry about their data being used illicitly. But if merchants, card brands, issuers and consumers are compelled to address and fix the security issues facing the industry, maybe some good can come out of this breach.