Protecting and securing payment systems and consumer data is a never-ending task for all parties in a payment network, and it’s also a moving target.
At the Electronic Transactions Association’s TRANSACT conference in Las Vegas, credit card companies, banks, payment processors, regulators and retailers all have the same fear: as soon as a new system or firewall is put in place, hackers have already figured out how to bypass it.
“The fundamental problem is you can’t provide 100 percent protection for a house of straw,” explained Mallory Duncan, senior vice president and general counsel for the National Retail Federation. “Retailers need to work with the card industry to help the system move to a house of wood to make it easier to secure.”
Read More Think your password’s safe? Think again!
Many retailers have had payment and data security teams in place for years, and have been working to migrate payment systems from the current magnetic stripe card readers to EMV systems, or the chip-embedded cards and PIN-code technology widely used in Europe.
Visa and MasterCard are giving merchants until October 2015 to have an EMV system in place. If merchants don’t comply, the responsibility to cover fraudulent purchasing will shift from the card companies to the merchants themselves.
After the high-profile retail data breaches at Target, Neiman Marcus and Michael’s, a number of retailers, including Target, are accelerating EMV technology plans.
The migration certainly isn’t cheap. Duncan estimated it will cost retailers between $26 billion and $30 billion to upgrade systems to be EMV-compliant, while it will only cost about $2 billion to replace consumers’ cards with the new chip-embedded technology.
Two weeks ago, Wal-Mart “turned on” software at about 1,000 of its U.S. stores, enabling its point-of-sale systems to accept chip-and-PIN cards, though there are few of those cards currently being used in the U.S.
The world’s largest retailer said its whole network of U.S. stores will be ready to accept EMV cards before the end of the year. Because Wal-Mart’s current point-of-sale machines are compatible with EMV technology, the company said the cost of activating the software isn’t material.
Target, however, has said accelerating its payment systems to accept chip-and-PIN cards is part of a $100 million effort to ready all of its 1,800 locations by the first quarter of 2015.
Retail Pro International provides point-of-sale software for small- to mid-size retailers including Oakley, Fendi, Prada and Lacoste. Mike Bishop, vice president of business development, said U.S. customers with two to three point-of-sale terminals per location will need to invest around $3,000 per store to upgrade to safer, smarter systems.
But EMV systems are far from a panacea.
“EMV addresses a specific type of fraud—counterfeit card fraud. It does not address other types of fraud that take place,” said Jason Oxman, CEO of the Electronic Transactions Association. “When we look at the Target breach or [breaches] at other retailers, those were breaches of retailers systems. EMV wouldn’t have done anything to stop the Target breach.”
EMV provides more encryption so credit card data are harder for hackers to replicate on counterfeit cards, but it wouldn’t have prevented the hackers from getting the data, Oxman said.
“I think what the retailers are going through now is pretty damn unique, relative to what they’ve done in the past,” said Bishop. “They’re feeling a lot of pressure right now. They’ve got to have systems that support these more advance technologies, or they’re gonna die.”
—By CNBC’s Courtney Reagan