After data breach, Target develops high-security credit cards

After data breach, Target develops high-security credit cards

Summary: Following a disastrous data breach that resulted in the theft of millions of customer records, Target is working on high-security "smartcards" for clients.

TOPICS: Security

Following a massive security breach, Target is speeding up the development of high-security cards.

In November 2013, the U.S. retailer was the victim of a cyberattack that lifted roughly 40 million credit and debit card records, in addition to approximately 70 million customer addresses and phone numbers. These records are now believed to be on the black market, and the security breach has been traced back to vulnerabilities in a third-party vendor.

In order to try and salvage something of the situation, Target is ramping up efforts to make services more secure. Writing an opinion piece for publication The Hill on Monday, Target's Chief Financial Officer John Mulligan said the firm is working to make itself more secure in the future, and the "adoption of chip-enabled smartcards .. would dramatically improve the security of all credit and debit cards" in retail.

Target was working on the cards -- which contain small microprocessors that make it more difficult for hackers to steal data -- before the security breach, but Mulligan says development has now been accelerated within the $100 million project.

The U.S. retailer hopes that chip technology will be in stores and integrated within Target's REDcards by early 2015, six months ahead of previous plans. Mulligan writes:

"For consumers, this technology differs in important ways from what is widely used in the United States today. The standard credit and debit cards we use now have a magnetic stripe containing the customer's information. When first introduced, that stripe was an innovation. But in today's world, more is needed.

The latest "smart cards" have tiny microprocessor chips that encrypt the personal data shared with the sales terminals used by merchants. Why is such a change important? Even if a thief manages to steal a smart card number, it's useless without the chip."

These cards are already used in the U.K., but the U.S., where signatures are often still required, has been slow in adoption. The CTO says that in the United Kingdom, financial loss associated with lost or stolen cards has dropped 67 percent since 2004. In Canada, where the cards are already used, losses from card skimming were reduced by 72 percent from 2008 to 2012, according to industry estimates.

In the opinion piece, Mulligan says the industry needs to work together to combat card fraud.

"If we truly want to prevent this from happening again, the business community must move together. No one company or industry can solve this challenge on its own," he wrote. "Strengthening consumer protection requires a coordinated response.This is a shared responsibility."

Target is also working on ways to make mobile transactions more secure in the future.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Why?

    are they "developing" the cards, when they are already standard everywhere else? :-S

    Surely they just need the US card companies to follow the international standard and release new cards with chips?
    • Ditto!

      Target is not developing the cards, they are accelerating the deployment of cards readers on their POS equipment that can read credit cards with an embedded chip. While I do not remember the exact details, US banks and retailers were going to be moving to the chipped credit cards in the 2015 to 2016 time frame anyway. Target is simply moving their deployment of the systems up by 6-months.

      Until recently, the US banks and retailers found it cheaper to accept fraud then pay for the deployment of the chip based credit cards. Now that retailers are getting socked with the bills for credit monitoring and breach clean-up, suddenly chip based cards are a great idea. But they have been the norm in Europe and other parts of the world for 10-15 years. Ever hear of mass credit card fraud anywhere but the US? Bean counters, you gotta love 'em!
      • Same as Safety Regulations

        There is a rather cold but unfortunately true statement: "Safety regulations only change when there is blood." Also unfortunately this principle applies to many other things.
      • They were standard in France over 20 years ago.

        Smartcards were developed by the French computer company Bull and were required to get paid when working in France over 20 years ago. It was simply a "business decision" to shift the costs of bad security to customers, law enforcement and retailers.

        Yet another example of why banks require strong, proactive government regulation. But as long as we have the best Congress money can buy, that won't happen.
        R Harris
  • Deploying smart cards...

    It's (relatively) easy for Target to deploy smart cards.
    Red Cards only work at Target, so it's only Target's readers which need to be upgraded.
    Not so for the whole of US.
    Ever and each reader would need to be replaced, how many are there?
    • Already have chips

      About half of the cards in wallet already have chips. They have had them for several years. All that was ever missing was a reader.
  • no RFID

    Many of us refuse to carry a credit card with an RFID chip...
    • You may be surprised

      You may be surprised at which cards do and do not have chips. You may have one and not know it.

      For those that are really worried or do a lot of international travel there are a lot of wallets that have shielding.
      • Surprised, indeed

        Anyone with a NFC card has to have one... but it begs some farther questions related to how secure NFC transactions may or not be, as compared to magnetic swipes. Other questions related to entities archiving customer data only in attempts to simplify processing of return business are very appropriate - if, in fact, there was never an archive to be "cracked", the situation would not have happened at all. So, in MY book, any retailer who thinks they can safely archive critical personal information of customers is not only open to compromise and loss due to their own negligence, but also are way too naïve in assuming how secure their archive may be - one way to publicize such negligence seems to have been under way since early last year...namely the compromises, of which I believe we've only learned about a small proportion.
        (My old mantra - decisions made in the interest of convenience most often result in compromised security and higher risk for the decision maker.)
        • And yet the world's still here.

          Chipped credit cards have been used outside the USA for years and guess what - the rest of the world is still here and still going, credit card fraud hasn't increased (by all accounts it's decreased) and retailers haven't gone broke upgrading to chipped readers (not that they have to, the swipe option is still available).
          I sometimes wonder at the conservatism of the USA, in Australia we have chipped cards, we have PIN number authorisation on credit cards and we have NFC with no PIN or signature for low value transactions. And we don't have out-of-control credit card fraud as a result.
    • Chip-and-Pin

      doesn't use RFID. It uses a smart schip with contacts on the surface of the card, you actually need to physically insert the card in the reader.

      There are newer cards which use NFC, but I haven't heard of any credit or debit cards using RFID.
  • On choir preaching and solving only part ...

    of a problem.....
    We all have known about "smart cards" in one sense or another for years, as noted by others... So, in this press "release", Target is not really working towards improved security, but improved customer relations, and THAT is a long, steep hill ahead of them (and some other notable retailers as well). In a sense it begs a question whether one goal of the compromise may well have been to impact the retailers' total business (considering that we have only heard of a few high profile retailers being affected, so far).
    Assuming Target does manage to establish their own cards, and necessary infrastructure to support them (read more than just the readers...), it still does not address at all the fact that a majority of cards affected by the breach were not their own. That said, there is still a lot of work (for EVERY retailer) to do by way of improved security of financial transactions.
    Am I impressed by Target's statement? Sorry, not at all.
  • Smart cards are not the answer

    Smart (chipped) cards are not the answer. Yes it will reduce the amount of fraud for a while just like putting the magnetic strip on previous credit cards did for a while. Eventually the criminals will either develop methods of reading the cards or as the stores replace their chip readers, some will fall into the hands of criminals and they will adapt them. This method will only slow down the rate of fraud for a few years.

    Having said that I do not believe that there is a good answer. Biometrics will help improve things but then put people's health and well being in jeopardy (as criminals take drastic action to get access) plus reduce privacy as there is no real way to disguise your face/finger print.
  • Banks don't care...

    It was long ago suggested that a photo, (been around nearly 200 years), might be a good security feature for point of purchase use.

    The UK banks actually said that they did not think they would be much use!
    dumb blonde