As Target Upgrades Credit Cards, It May Stand Alone

Don't expect other stores to follow Target's lead
Joe Raedle/Getty Images
By Krystina Gustafson | @KrystinaGustafs

Target took an active step in trying to reassure shoppers that their information would be safe when making purchases at its stores, by saying it would upgrade its store-branded cards with Mastercard's (MA) chip-and-PIN technology starting early next year.

But don't expect other retailers to immediately follow suit.

Though experts said Target's move is a step in the right direction, the fact that its cards are issued by Target (TGT) puts it in a unique position to be able to expedite these security measures for its shoppers, according to Brian Riley, research director with CEB TowerGroup.

What's more, since it fell victim to a very public data breach, the discounter has more incentive to act with extreme caution.

"I think Target's in a position where they're trying to look at everything as quickly as they can," Riley said.

Target on Tuesday said that it will enable its entire REDcard portfolio, which includes Target-branded credit and debit cards, to include the new chip-and-PIN technology beginning in early 2015. The system is said to be safer than what is currently used for U.S. credit cards, as the chip makes the card harder to counterfeit, while the PIN combats against fraud when cards are lost or stolen.

Although the discounter's consumer credit card portfolio was sold to TD Bank last year, the company said in a release that it "will maintain the current deep integration between its financial services operations and its retail operations." This gives Target more leverage when it comes to the processes behind its store-branded cards, Riley said.

Because only a few retailers have the same sort of leverage -- Nordstrom (JWN) and Talbots are two companies on the short list of big-name retailers that have an affiliated bank -- it puts them in a unique position.

But there's another reason Riley doesn't expect other retailers to follow Target's lead: The fact that there is so much change under way involving new technologies in the payment category.

"In fact, if they do, I think it's a little bit premature," he said.

Riley would, however, see more reason for a quick reaction from stores that also underwent recent breaches, he said. Neiman Marcus and Michaels Stores also recently reported data breaches, but neither responded to requests for comment as to whether they will expedite their move to chip-and-PIN technology. Michaels doesn't offer its own store-branded credit card.

Walmart (WMT) said all of its U.S. stores will be able to accept EMV cards before the end of the year. That's because its point-of-sale machines are already compatible with the technology, so there is no material cost for the retailer.

Banks and retailers are facing an October 2015 deadline when they need to be compliant with EMV technology -- a global set of standards for secure payments that uses a different set of digital data for every transaction. After that date, the liability of counterfeit card transaction will fall on either the card's issuing bank or the retailer, depending on who does not meet the set standards.

But the cost of switching over to EMV technology will be costly for retailers. Ramesh Siromani, a partner in the financial institutions practice at global management consultant A.T. Kearney, said upgrading point-of-sale terminals to read the chips could cost anywhere between $300 and $600 per terminal, which adds up when accounting for retailers with hundreds -- even thousands -- of stores.

Target said its plan to switch its REDcard portfolio, which includes more than 20 million cards used at nearly 1,800 stores, over to chip-and-PIN technology will cost $100 million.

Industrywide, Mallory Duncan, senior vice president and general counsel of The National Retail Federation, said it will cost retailers between $25 billion and $30 billion to switch over to chip-and-PIN technology, mainly because of the cost associated with upgrading sales terminals.

%VIRTUAL-article-sponsoredlinks%He said the most significant piece of Target's announcement is that it will be including the PIN requirement with its security upgrades. He said this is the fastest, most effective step the industry can take in helping to reduce fraud, as it's a less costly undertaking and still protects consumers.

By switching over to PINs, and postponing or eliminating the change to chips, the move toward more secure payments would only cost retailers about $4 billion, Duncan said.

"What you want to do is fix the weakest link first, and the weakest link is the signature," Duncan said. "[Target is] leading the charge to fix the weakest link ... it's the banks that have to follow suit."

Still, the new technology isn't perfect. Many point out that the new point-of-sale terminals only secure in-store transactions, leaving online sales vulnerable. Jason Oxman, CEO of the Electronic Transactions Association, also pointed out that the Target breach affected the retailer's systems that stored card data, so EMV technology would not have stopped it.

Target has been working to restore the confidence of shoppers, who stopped spending -- and, in some cases, visiting its stores altogether -- following the data breach that affected up to 110 million shoppers.

Last month, a report from Kantar Retail found that only 33 percent of U.S. households shopped at a Target or SuperTarget in January. That was the retailer's lowest level of shopper penetration in the past three years.

The pullback in foot traffic was also reflected in the retailer's fourth-quarter earnings report. The company said its domestic comparable-store sales fell 2.5 percent from the same period a year earlier, and were affected by "meaningfully softer results" following the Dec. 19 news of the data breach.

However, CEO Gregg Steinhafel also said in the release that he was "encouraged that sales trends have improved in recent weeks."

Recent data from YouGov's BrandIndex also indicate that consumers are slowly forgiving the discounter. According to the firm, Target's consumer perception currently stands at 15, after plummeting as low as -35 in wake of the breach. Though the company is still only about halfway back to its pre-breach score of 26, YouGov said it is only several points below what they consider a recovery.

Scores range from 100 to -100 and are calculated by subtracting negative feedback from positive. A score of zero means that a company has received equal positive and negative feedback from respondents. The index interviews 4,300 people each weekday to draw its conclusions.

Why Your Bank Thinks Someone Stole Your Credit Card
See Gallery
As Target Upgrades Credit Cards, It May Stand Alone

One reason why Marquis' gas purchases might have triggered a fraud lockdown? Filling their tank is a common first move for credit card thieves.

"Some of the things they look at are small-dollar transactions at gas stations, followed by an attempt to make a larger purchase," explains Adam Levin of Identity Theft 911.

The idea is that thieves want to confirm that the card actually works before going on a buying spree, so they'll make a small purchase that wouldn't catch the attention of the cardholder. Popular methods include buying gas or making a small donation to charity, so banks have started scrutinizing those transactions.

Of course, it's not a simple matter of buying gas or giving to charity -- if those tasks triggered alerts constantly, no one would do either with a credit card. But Levin points to another possible explanation: Purchases made in a high-crime area are going to be held to a higher standard by the bank.

"It's almost a form of redlining," he says. "If there are certain [neighborhoods] where they've experienced an enormous amount of fraud, then anytime they see a transaction in the neighborhood, it sends an alert."

(Indeed, Erin tells me that one of the gas purchases that triggered an alert took place in a rough part of Detroit, which she visited specifically for the cheap gas.)

People who steal credit cards and credit card numbers usually aren't doing it so they can outfit their home with electronics and appliances. They don't want the actual products they're fraudulently buying; they're just in it to make money. So banks are always on the lookout for purchases of items that can easily be re-sold.

"Anytime a product can be turned around quickly for cash value, those are going to be the items that you would probably assume that, if you were a thief, you would want to get to first," says Karisse Hendrick of the Merchant Risk Council, which helps online merchants cut down on fraud. Levin says electronics are common choices for fraudsters, as are precious metals and jewelry.

Many thieves don't want to go through the rigmarole of buying laptops and jewelry, then selling them online or at pawnshops. They'd much prefer to just turn your stolen card directly into cold, hard cash.

There are a few ways that they can do that, and all of them will raise red flags at your bank or credit union. Using a credit card to buy a pricey gift card or load a bunch of money on a prepaid debit card is a fast way to attract the suspicions of your credit card issuer. Levin adds that some identity thieves also use stolen or cloned credit cards to buy chips at a casino, which they can then cash out (or, if they're feeling lucky, gamble away).

When assessing whether a purchase might be fraudulent, banks aren't just looking at what you bought and where you bought it. They're also asking if it's something you usually buy.

"The issuers know the buying patterns of a cardholder," says Hendrick. "They know the typical dollar amount of transaction and the type of purchase they put on a credit card."

Your bank sees a fairly high percentage of your purchases, so it knows if one is out of character for you. A thrifty individual who suddenly drops $500 on designer clothes should expect to get a call -- or have to make one when the bank flags the transaction. If you rarely travel and your card is suddenly used to purchase a flight to Europe, that's going to raise some red flags.

Speaking of Europe, the other big factor in banks' risk equations is whether you're making a purchase in a new area. I bought a computer just days after moving from Boston to New York, and had to confirm to the bank that I was indeed trying to make the purchase. Levin likewise says that making purchases in two different cities over a short period of time raises suspicions.

"I go from New York to California a lot, and invariably someone will call me [from the bank], " he says. Since one person can't go shopping in New York and California at the same time, any time a bank sees multiple purchases in multiple locations in a short period, it's going to be suspicious.

Read Full Story