(Photo by Joe Raedle/Getty Images)
The security breach at Target over the holidays has hastened the push for retailers to implement so-called EMV technology to process payments.
CINCINNATI - You don’t have to be hacked to be a victim of hackers, Cincinnati companies are learning in the wake of recent security breaches at Target Corp. and The Neiman Marcus Group Ltd.
Experts say retailers, banks and consumers will likely have to pay more for technology upgrades and increased liability risk because of cyber attacks over the holidays that exposed more than 100 million consumers to increased risk of theft.
“You’re going to see more companies ramping up on their technology than ever before just because of consumer concern that their information is being protected,” said Bob Childress, CEO of Solace Insurance, a Tampa, Fla. –based company that sells cyer-liability coverage to small and mid-sized companies. Demand for that coverage is rising, he said, because of an increasing number of lawsuits and reputation damage caused by security breaches.
“More money has to be allocated by these companies because the criminals are growing smarter and more technically advanced," he said.
Cyber-security was hot topic at the National Retail Federation in New York this week. Pressure is increasing on Cincinnati retailers like Kroger Co. and Macy’s Inc. to install new technology for debit and credit cards that use encrypted computer chips instead of magnetic strips to store consumer data and require PIN numbers instead of signatures to authorize transactions.
The so-called EMV technology (it stands for Europay, Mastercard and Visa, which developed the standard) is predicted to cost U.S. retailers $8 billion to implement and banks more than $5 billion, said Randy Vanderhoof, executive director of the Smart Card Alliance, a Princeton, N.J. -based nonprofit that promotes the use of EMV technology. Vanderhoof was not familiar with Kroger’s technology but said Macy’s “has been in the forefront of testing and piloting some of the newest payment solutions coming into the market.” He said Sycamore Township –based Vantiv Inc. is “right in the middle” of the shift to EMV because it’s a payment processor with lots of large retail clients. Vantiv announced its compliance with EMV standards back in April.
“These type of hacking attacks are going to get worse before they get better,” Vanderhoof said. “More consumers are going to be asking their banks for chip cards. This is an opportunity for Vantiv to get their customers to rethink what level of technology they’re running and to move to more secure and updated systems.”
Kroger did not provide comments for this story. A Macy’s spokesman said it has “no reason to believe that any of our payment systems have been affected,” but it is actively monitoring for cyber attacks.
Fifth Third Bank said it launched EMV chip technology for commercial cards in 2012 and it has now begun reissuing debit and credit cards to consumers at increased risk for fraud because of the holiday cyber attacks. Fifth Third wouldn’t say how many cards are being replaced.
A Reuters story Wednesday identified Vantiv as one of several vendors that processed transactions for Target. The story said some of those vendors could face lawsuits.
“We don’t expect any impact from the Target breach," said Vantiv Spokesman Andrew Ciafardini. "While Vantiv processes PIN debit transactions for Target, there is no indication that Vantiv’s processing systems have been affected by this incident."
Vantiv CEO Charles Drucker has been talking about the shift to EMV for more than year now in earnings calls and investor presentations. In October, he said Vantiv’s EMV expertise was a factor in recent large customer wins, including a portion of Walmart’s payment-processing business. In May, Drucker said EMV offered a chance to expand market share.
“As EMV gets closer and there's changing in the equipment and the hardware and how software functions, our merchant clients, we're working with them to think about mobile (phone payment systems) and how to attract more clients, using loyalty programs, the discounting program,” Drucker said. “So I do think as we get closer, it starts to accelerate more opportunities to bring value-added services to these clients.”
True to that strategy, Vantiv announced two new product launches at the NRF convention in New York this week. It’s partnering with Microsoft to develop cloud-based “omni-channel payment solutions.”
It also announced a smart phone app, developed in partnership with AT&T , that allows business owners to accept debit and credit-card payments.
“Mobile payment solutions ride on the more secure EMV payment processing networks,” said Vanderhoof. “So in a way, if stores upgrade their security to EMV then they enable themselves to process through mobile devices as well.”
EMV technology is widely used in Europe but its implementation in the U.S. has gone more
slowly. Credit card companies Visa and Mastercard have tried to prod the change by announcing a policy change that could shift liability to retailers if EMV they’re not using the technology by October, 2015. Currently, retailers cover one third of fraud-related expenses, Vanderhoof said.
Macy’s CEO Terry Lundgren told CNBC Monday morning that that the holiday cyber attacks should lead to stronger security solutions, but stopped short of endorsing the EMV standard and declined to provide an estimate of Macy’s cost to implement.
“We have nothing to believe this is an issue for us at the moment,” Lundgren said. "The retailers, the banking industry, [and] the credit card industry should be working very closely together to figure out what is the right technology to protect the consumers … and then work around the solutions from there."
Vanderhoof said the shift to cards with computer chips will not be the only technology solution required by retailers and banks. Nor does he think Target and Neiman Marcus will be the only retailers to announce they’ve been hacked.
“We don’t know how the malware was introduced into the system,” he said. “But you can say for sure that the criminals who created this attack are looking at other retailers with a similar hardware or software systems that would be susceptible.”