The Target data breach is old news to most people by now, but the “terrible roars” unleashed by those responsible for this breach will be heard throughout the payments industry for years to come. And, the marks left by the “terrible claws” on the future of retail payments and consumer payment habits may in fact become indelible.
There’s a lot about this entire situation that has the industry horrified and fascinated at the same time, sort of the payments industry equivalent of rubbernecking when driving by a bad accident on the highway. Who doesn’t want to know all of the gory details associated with who, the how and the why – and to read about it and discuss it over and over? And secretly breathe a sigh of relief that it wasn’t them? One of the more fascinating accounts that I’ve read had to do with how the breach was discovered. According to a security blogger, it was a fraud analyst at a big bank who had been alerted to the fact that cybercriminals who make their living selling stolen cards had sent messages to their “loyal customers” that a new stock of cards was coming on line. This analyst actually then went online and bought back a bunch of its own bank cards from that online “card shop.” And guess what payment method is used to buy such cards from the bad guys? Well, let’s just say that it isn’t Visa, MasterCard, American Express, Discover or PayPal, but the “go-to” tender of illegal trade: bitcoin.
The roar that is being heard and the terrible claws that are being bared will likely permeate the industry far beyond Target. First, it likely will – and already has if the interviews done so far on television are true – shaken consumers’ confidence in using their debit cards at physical retail stores. Sure, the Target breach impacted both credit and debit cards, but consumers understand that they are protected from financial ruin if the bad guys get hold of their credit card account number. The picture is a bit muddier when it comes to debit. Federal law doesn’t provide much protection. Visa and MasterCard require issuers to have zero liability rules for consumers for signature transactions. The protections for PIN debit are much more varied. But, at the end of the day, here’s the big difference (and therefore the big deal as far as consumers are concerned): with credit, consumers can fight about what they want to pay and don’t have to pay until it is resolved; with debit, they have to fight about getting money put back into their accounts that may take time. For a lot of consumers, anything that messes up their checking account is a huge, huge deal. And whatever sophisticated payments professionals may think, use patterns show that consumers are a lot more nervous about using their debit cards. So, the recent news that the Target breach also included PIN information might just be the finishing blow to the already shaky consumer confidence in debit cards as a secure method of payment method anywhere.
Some consumers, who initially were told that PIN information was not compromised, decided to roll the dice rather than endure the inconvenience of cancelling their all-around work horse of a payment card during the most critical shopping period for them (and retailers in general). Except that we all know that debit cards can be used online without a PIN and at physical stores as well with just a signature, unless the store forces users to type in a PIN. In other words, no PIN, no problem if you’re a bad guy.
Now that it has been revealed that PIN information was also stolen, consumers have expressed even more concern and confusion over the security of their most precious financial asset – their bank accounts. Target has said that the bad guys can’t decrypt PIN information since they don’t have it. But, some experts say that clever criminals can work around that, in some cases just by being good guessers since, these same experts say, about 20 percent of us unbelievably use easy-to-guess passwords like 1234.
Chase, perhaps suspecting or detecting something more, preemptively reduced debit account cash withdrawals ($100/day) and transaction limits ($300/day) on debit cards in an effort to protect themselves and their cardholders from fraudulent activity. The cash withdrawal restriction is particularly telling because Chase was apparently concerned that the bad guys got the PINs and could access funds from ATMs. Try buying holiday gifts, do your holiday grocery store shopping and fill up the gas tank a week before Christmas with those sorts of daily dollar constraints – but it was the right thing to do in order to protect all parties.
So, as you can imagine, consumers are pretty freaked out and they are tuning in to the consumer credit pundits who are giving lots of advice about what to do. A lot of it is the usual stuff – cancel cards, monitor your account, etc. But, some consumer credit card sites, including one that is touted by the Today Show, are telling consumers to ditch debit cards for credit cards in order to protect themselves (and their bank accounts) from the risk of a future incident but to use those credit products like debit cards – paying off the balance each month. Lots of people who have credit cards do this already to take advantage of the points or cash back options associated with such cards, but it seems as though more and more people will be encouraged to follow suit. If that happens, retailers could be saying bye-bye to lower interchange payment options. And you have to wonder what’s going to happen to decoupled debit products which were just beginning to breathe a new sign of life—particularly with the success of the Target REDcard. Despite the fact that such products have limited utility on the black market since they can only be used with specific retailers, it seems hard to imagine that consumers will happily turn over their checking account information to merchants. For bank issuers, well, let’s just say that interchange-rich products could be making an encore appearance for those issuers savvy enough to capitalize on this fiasco while it is still front page news and use it to move consumers off of debit cards to credit cards.
Now, it’s true that consumers also have short memories, and that the last time something like this happened, the TJX breach in 2006, there wasn’t much of an uproar or backlash against them or the card brands/types, which many people found surprising. But, as the saying goes, that was then and this is now.
Back in 2006, online shopping was a teensy weensy part of the shopping experience (it’s only 5 percent now), but online is where the bad guys tend to use stolen cards today. It’s a perfect payments playground for them – they don’t have to go through the trouble of making new plastic cards and can do a lot of damage very quickly before cards are cancelled. In 2006, that risk was negligible and nothing that people talked or worried much about. But, the breach did have an impact on TJX and its strategy to move online – something they just did this year. The breach made them overly cautious to consider anything that could put them in jeopardy of a card compromise and/or loss of consumer trust.
We’ve already begun to see the big impact the breach has had on Target’s customers.
It’s been reported that its “buzz score,” has been pummeled. A brand’s buzz score is a measure of brand popularity on a scale of 100 to -100. Today it stands at a MINUS 30. (Amazon has a buzz score of PLUS 30, Kohls is at 19 and Home Depot is a 22, by comparison). Foot traffic at Target stores has also tanked at about the worst possible time – the holiday season which accounts for as much as 20 percent of annual sales. It’s been reported that transactions at Target were down 3 to 4 percent in spite of shoppers being offered a 10 percent discount after the breach occurred. This news comes on top of reports that consumers aren’t as bullish about the economy as otherwise thought. A new CNN survey reports that more than half of Americans have cut back on spending on clothes and appliances, with more than one-third (36 percent) tightening the purse strings on food and medicine. The latter actually reflects an increase from 31 percent during the height of the financial crisis in 2008. And, this is on top of the cheery news that 65 percent of Americans live paycheck to paycheck (up from 61 percent three years ago) further reinforcing the notion that consumers who either have the money but won’t spend it or don’t have the money to spend in the first place will be even choosier about where they elect to spend their hard-earned dollars even if plied with discounts. Parting with their money will be done with a brand they trust and Target has a lot of work to do in order to make good on that score.
The other roar that has been unleashed post-breach is the one over EMV.
Many say that “if only” the U.S. had implemented EMV the Target breach wouldn’t have happened. For sure, EMV cards are more expensive to clone into physical cards and if physical stores where the only places fraudulent card information could be used, EMV would, indeed, stop card fraud cold and so could have made it less appealing for the bad guys to devise their plot. Except that there’s one big problem: the bad guys now have a lot more places to use stolen card information – like millions of online outlets where they can buy stuff and/or buy stuff and return it for cash at physical stores. And, the facts bear this out. In every place in the world where EMV has been implemented, online fraud has increased.
Many security experts have gone on record saying that even EMV wouldn’t have prevented a Target-like situation since EMV doesn’t encrypt card data transmitted between the point at which the card is presented (swipe or dip) and the acquirer. They say that for that reason, EMV does nothing to prevent the risk that card information can be intercepted in the merchant environment – which is, in fact, where we’ve been told the Target breach occurred. An authority on payment card security from Underwriters Laboratory was quoted as saying that in a situation where a merchant terminal and/or POS system is hacked, an EMV chip would have still provided enough information to be used by the bad guys online. First Data’s white paper on EMV corroborates that, stating that the “largest breaches of card information in the U.S. have come from vulnerabilities within the merchant or processor environment that EMV does not address.”
Professor Ross Anderson a global authority on payment technology at University of Cambridge probably said it best: “Simply blocking off one of the avenues of attacks by fraudsters isn’t enough to make fraud vanish.”
So, as we close the books on 2013 and turn our sights to 2014, how will the “terrible claws” related to the Target experience impact the course of payments?
Let me count the ways ….
It will surely accelerate the discussions – and hopefully the resolution about a solution – around data security. I’m not a security expert, but it seems to me that tokenization and encryption have to be at the top of that list – even the EMV white paper from First Data suggested that EMV alone is not enough and tokenization and encryption solutions must be a part of a “layered” approach to keeping cardholder data secure. Let’s hope that one of the outcomes of this unfortunate situation is that we get much needed clarity around what should be done in order to keep card transactions safe – and “future proof” at the same time. Whatever we end up with has to address the reality that we are moving faster toward an environment where connected devices in the hands of consumers and merchants will drive transacting – and relying exclusively on a hardware based solution and physical card products to keep fraud at bay is only playing whack a mole with data security without addressing the bigger picture issues.
I can also imagine that a few key players will push pedal to metal on a variety of fronts. Banks will party like its pre-Durbin, and seize the moment to entice consumers to use credit cards, perhaps layering on more rewards, perhaps devising or aligning with innovators who have apps that help consumers monitor spending on those cards in real time and or take on some of the features of a debit-type product. Now, too, is the opportunity for MasterCard and Discover to double down to help feed this beast as a way to cut into Visa’s massive debit card share. I think it’s also possible for the move to digital wallets secured in the cloud and operated by third parties to also fast track, most notably by the player that has built its 15-year reputation on being the secure way to transact digitally: PayPal. In fact, I wouldn’t be surprised to see the PayPal and Discover combo move full steam ahead to merchants that want to both leverage the value of the digital wallet and the security/risk management of the PayPal solution to gain consumer trust and adoption.
I also think that this is just about the last thing that MCX needs at this point. Perhaps this will all blow over, but it seems like decoupled debit is going to face even stiffer headwinds and MCX will need to consider a new strategy for how it will go to market. Consumers, who have been cold to lukewarm about this payment method all along, may simply move to the “ya gotta be kidding me” view of giving their checking account info to a merchant to program into a card. It’s hard to know whether consumers will associate the Target breach with just Target or simply assume that all retailers pose a similar risk and can’t be trusted with their card information. That would make it very difficult for MCX to issue an MCX-branded product and have consumers feel secure using it. MCX will certainly need to assess the damage, and think thru another way for merchants deliver a value proposition to consumers and deliver a low cost of acceptance strategy to its retail members.
It’s also likely that we will see those schemes that attach prepaid cards to “merchant” cards a la Starbucks, reenergize in an effort to convince consumers to mitigate their risks by putting a “safe” card between their bank account and the merchant. I still can’t imagine that getting much traction since, outside of putting a few bucks each week onto a Starbucks card, the 65 percent of Americans who live paycheck to paycheck won’t think much of tying up their money on a card they don’t have the flexibility to use outside of a particular merchant. Sure, those consumers may not drive the bulk of the spend in the U.S., but those who do, have other options, and may not view the benefit worth the hassle of setting up and managing these new products.
What will be fascinating to watch, I think, is what the aftermath of the breach does to debit card usage at physical stores. Forty million card accounts represents a lot of cardholders, and just about everyone knows someone who’s been a victim. And although both credit and debit cards were compromised, the big nervousness that consumers have is related to the downside of the debit plus PIN compromise. Debit, as we know, is an extremely popular payment method and while it’s generally hard to change the payments habits of consumers, there’s no bigger incentive to change than fearing that the bad guys have access to your bank account and are using it as their own personal ATM.
It will also be interesting to see what happens to Target. When I was checking out Target’s buzz scores, I observed that it took them seven weeks last year to recover from the aftermath of a political donation that they made to a candidate that its customers didn’t think appropriate. The card breach is about 1 million percent more onerous and touches people where they feel most vulnerable – their wallets and their sensitive financial information. Target, as many retailers, has struggled over the last five years to stay afloat during the financial crisis, high unemployment, and shaky consumer confidence. In spite of all of that, Target was still able to get its “share” by offering great products, good prices and a great brand that got consumers in their stores. But once news of the breach occurred, all of that went out the window – and each time bad news now surfaces, it just gets worse. As the investigation uncovers more details about what happened, there will be more bad news to come. As we’ve seen play out with JCP, once consumers feel that their trust in their favorite brand has been “violated” it is a real uphill battle to win them back.
2014 will be a lot more interesting than we thought just two weeks ago.