Security: What It Takes to Lead the Way

You say Target, we say EMV—how’s that for a conversation-starter?

The recent mass hack of retail giant Target—it’s estimated that more than 100 million consumers’ information might have been compromised—has generated considerable attention, as does every data breach that cuts to the bone. Expect to see the usual hand-wringing and calls for newer and more effective procedures, and with good reason. It’s entirely fair to ask why and how a multimillion dollar security network of the kind Target surely has could be brought to its knees—allegedly—by a software tool created by a teenager, written in a common scripting language and widely available on underground sites for barely $2,000.

That’s why we should expect to be hearing a lot more about EMV. For the record, the acronym represents Europay, MasterCard and Visa, and it first saw life as a joint effort between those conglomerates to enable greater security and interoperability in chip-based payment cards. The specification covers everything from POS terminals to ATMs, meaning every store and bank simultaneously. The standard is now defined and managed independently, and Integrated Circuit (IC) or chip cards based on it are being rolled out throughout the world. The chip and related software ensures that each customer’s account number and other details are essentially invisible. The suggestion here, and it would be label the potential benefit any differently, is that it would help contain the damage wrought by the Target hack.

Of course, when something is a global standard, that doesn’t mean it covers every market—there are always exceptions. And in the case of EMV, there’s a big one: The USA. Many regions across the pond have embraced the new technology, but magnetic-stripe cards, which are far more vulnerable to data theft of the kind we saw at Target, remain the norm on these shores. Credit card companies, who are among those hardest hit by data theft at market-facing outlets like banks and stores, have been stepping up pressure on their partners to adopt the EMV specification and introduce IC cards. But it’s probably not going to happen for a while.

There’s a good reason for this, or perhaps 8 billion reasons. That’s the dollar figure attached to the estimated cost of a full-on conversion to EMV technology adoption.

The simple truth is that through sheer size and economic heft, the U.S. is the world’s largest market for just any product it embraces. That gives it enormous standalone power—it’s why, for example, music stars who sell out globally barely make a dent on the charts here, or the World Cup can be the biggest sporting event while remaining a second-tier event for American consumers. The U.S. plays by its own rules, because it can.

It’s also worth noting that while credit card companies are rightly concerned about data fraud and consumers have reason to fear identity theft, the retail industry can make the case that the cost of conversion to the EMV spec, despite the benefits, isn’t justified by the potential prevention of fraud, (losses from this type of attack has been estimated in the $1 billion a year range.) Besides, federal statutes protect consumers from having to pay for purchases made fraudulently with their credit and debit cards.

Most importantly, it’s always premature to see any technology as a panacea. Protecting financial information is an ongoing struggle, a non-stop effort to stay ahead of the bad guys. Whatever measures we put in place, sophisticated cybercriminals will find a way to circumvent. However, the fact that credit card fraud rates in America, previously among the lowest anywhere, have doubled since IC cards began proliferating in Europe is cause for concern.

Whatever the merits of the argument, the current interest in EMV makes for a case study in market leadership. The fact that the U.S. retail and banking economies are so massive and complex should not automatically be a reason for them to be technologically behind the curve. We always need to be doing better. The EMV specification is one option that seems to provide enhanced security, but that’s it—one option. Being the biggest, and arguably the best, means it’s our responsibility to lead the way identifying, developing and implementing many more.