Jul 02 2014

Target Breach Hit Credit Unions Hardest, Fuels Push for EMV Card Adoption

It’s not the big banks that were hurt the most by the retail data breach heard round the world.

If the Target data breach were a natural disaster, it’d have been the equivalent of a magnitude 8.0 earthquake for the retail and financial services industries.

With about 40 million credit card and PIN numbers reportedly scooped up in the data theft, many financial services entities such as banks, credit unions and payment card manufacturers had to scramble to respond the monumental crisis. But credit unions, more than any other financial services segment, were hit hardest by the breach, according to the results of a study from ATM network Pulse reported on by the Credit Union Times:

While large banks saw 7% of the debit card base affected by fraud in 2012, that number climbed to 14% in 2013, with 10% coming from Target’s breach, the report found.

Small banks saw the percentage of their debit card base affected by fraud climb f rom 5% in 2012 to 12% in 2013 with 9% coming from the Target theft.

Credit unions saw the percentage of their cards affected by fraud rise from 3% in 2012 to 16% in 2013, with 14% coming from the Target breach.

These hits are taking their toll on credit unions in particular, as they’re having to shoulder the effects of the breach largely on their own. In February, Mark Cummins, head of the Minnesota Credit Union Network, “urged Congress to consider legislation that would hold all players in the country’s payments system to comparable security standards and require merchants to reimburse credit unions for the costs of reissuing cards,” according to a Star Tribune news report.

It’s Time to Let Go of the Stripe

One of the main topics of conversation the Target breach has raised is the lack of security in the magnetic-stripe credit and debit cards most Americans use. Europeans adopted a chip-based payment card system called EMV (which stands for Europay, MasterCard and Visa) years ago, but the U.S. had opted to hold off on adopting the new card. EMV cards are viewed as more secure by many security experts, since they require a unique PIN for all transactions and boast advanced encryption algorithms that make the transactions harder to snoop on.

In an article for Digital Transactions, one payment security expert explained how EMV chip-based payment cards better protect payment transaction data compared to magnetic stripe cards.

Randy Vanderhoof, executive director of the Princeton Junction, N.J.-based Smart Card Alliance trade group and director of the EMV Migration Forum, says by email that “EMV data is not the same data that fraudsters intercept from mag-stripe cards.” He says mag stripes contain a static card-verification value (CVV, also known as a card-verification code, or CVC), while the EMV card replaces those codes with a dynamic (changing) security code known as the iCVV.

“If this information were copied and cloned onto a counterfeit card, it would not clear the online authorization process,” says Vanderhoof. “Once the majority of merchant transactions at a retailer are EMV, there will be little value to be gained by such a data breach because the data would have little value to criminals.”

But the Target breach has driven a significant shift in attitude toward EMV cards. Many card issuers are planning to roll out the chip-based cards next year, according to the Pulse study.

Although issuers report different opinions regarding the business case for EMV, the study found that 86 percent of participating U.S. issuers plan to start issuing EMV debit cards within the next two years, and most will begin EMV debit issuance in 2015.

The most common strategy among financial institutions is to provide account holders with an EMV debit card as part of their regular card reissuance cycle. Migration to EMV debit cards will begin in earnest in early 2015 and will span approximately three years, with many issuers attempting to provide chip cards to their international travelers and heavy debit users in advance of the liability shift in October 2015.

The cost of upgrading from the stripe to the PIN card system won’t be cheap for financial institutions and retailers. A 2011 white paper from ATM manufacturer Triton Systems put the estimated cost of upgrading ATMs in the U.S. at about $500 million and point-of-sale terminals across the country somewhere around $6.8 billion.

Those are staggering numbers indeed, but then again, the cost of data breaches like the one that hit Target are even more jaw-dropping.