Target Breach – Part III: Their Next Step Could Be Their Biggest Mistake

For the purposes of this blog, I’m going to assume the rumours are true, but if they’re not, both the premise and the message to large retail is still largely valid.

Apparently, Target will be replacing their current point of sale / terminals with a Verifone ‘solution’ capable of Point to Point Encryption (P2PE), and I assume, EMV and NFC as well. So it wasn’t bad enough that they lost 40M credit card numbers – the repercussions of which will cost them millions – they are now going to spend even more multi-millions to continue to accept the root cause of their troubles; the credit card.

Yes, the new Payment Entry Devices (PEDs) may encrypt the cardholder data from the swipe onwards, and this MAY take the large portion of the authentication channel out of scope for PCI, but nothing fundamentally has changed. The only significant payment channel is a custom built, exceedingly expensive system that can only accept credit cards. I estimate that $25,500,000 would be required to replace the PEDs alone (1,700 locations X 30 lanes per store X $500 per PED)!

Forget the fact that they will also have to pay for the P2PE service, as well as fundamentally change every business process relating to payments, they will STILL have to pay the card brands astronomical sums in fees! Their 2013 net revenue was ~$73 billion, so let’s say (conservatively), 15% was credit card revenue, and that Target have a preferred interchange rate of 1%, that means in 2013 alone, Target paid the card brands $109.5 MILLION just for the ‘privilege’ of letting the customers use a credit card.

$25.5M + $109.5M = $135M, how many innovations in payments could that fund? Or more to the point; how many alternative methods of payment AUTHENTICATION could that fund which would vastly improve the security of the transactions, and render the card brands’ 60+ year old technology obsolete once and for all?

Now imagine if they got together with Walmart, and Metro, and Aldi, and Costco and the rest of the world’s top 10 retailers, who, using the above maths, pay the card brands a combined $1.7 BILLION in fees, just how much influence do you think they would have?

And that’s really the point; the retailers don’t seem to know just how much power they have. They in fact hold ALL the cards, but not one of them wants to be the first to play them for fear of losing the competitive edge to the others. If they could only put aside their differences for a while, they could, all by themselves, create the necessary momentum to change the way we perform non-cash payment on a global basis.

The card brands won’t do it, it’s 100% of their business, the banks won’t do it, they make their own profits, and no-one else who has a vested interest in the status quo will make any effort to provide alternatives. Can’t say as I blame them, business is business, and it’s not as though the average consumer is clamouring for choice. But the retailers, they have by far the most to gain, and they have by far the most direct influence on how people shop.

Someone has to go first, and Target now have the perfect opportunity to spend their money future-proofing their payment infrastructure, but only if they finally understand that payments are NOT a core function, selling stuff is, and that their customers will adopt ANYTHING that’s cheaper, easier, and safer.

They have an image to fix, but this is not the way to go about it.

7 thoughts on “Target Breach – Part III: Their Next Step Could Be Their Biggest Mistake

  1. Interesting thinking David, however, I would look at this from the perspective of the consumer and see that as the reason why the change that you suggest won’t happen. As a consumer, a credit card account is very useful. The card is accepted pretty much everywhere (in merchants large and small) and I get a line of credit. It offers standardisation, convenience and for some a useful financial advantage between pay cheques.

    Target, on their own or with 10 or so large merchants, could develop their own card/wallet but they would still need a cheap and quick authentication method. Maybe an account card with a picture or some simple quick biometric/pin combination. How do they then enable eCommerce and Card Not Present transactions? The crucial issue of Identity remains. In this scenario, they would take 100% of any losses and they would have to run a membership scheme or outsource it to…

    As a consumer, I certainly don’t want a store card for just one store or more likely for every store.

    Kind regards

    Kevin

    On reflection, Costco have a membership card with a picture and don’t take credit card payments.

    • Many thanks for your comment Kevin.

      You don’t have to have a credit card to have a line of credit, and while I agree, credit cards have been ubiquitous for generations, mobile phones are now more prevalent that credit cards globally. On average, it takes 11 days to discover you’ve lost a credit card, it take 4.5 minutes to realise you don’t have your phone.

      So what makes most sense? Having a piece of plastic that authenticates itself to an expensive PED to access your line of credit, or to multi-factor authenticate yourself through your phone to access ANY of your payment options?

      Payments are all about authentication, credit cards are too insecure, too limiting, and too expensive.

  2. I agree that mobile devices offer an alternative, however, there are several wrinkles to be ironed out before they could totally replace credit cards
    1. Not everyone has a personal mobile. Can I use my work mobile?
    2. How do you form a secure chain of trust to tie the mobile and/or any mobile app and the actually person? Possible but will require additional in person validation and enrollment which would need to be done by the bank or other root of trust.
    3. How secure are mobile devices? Do we open a new vector for criminals to enable more rogue app downloads?
    4. How does this work in eCommerce?

    The Target exploit may be in store to harvest card details but the monetisation is likely to be on-line through CNP.

    Kevin

    • 1. By this year [estimated], numbers of mobile phones will outnumber the world’s population, and will therefore be far more widespread than credit cards which are tied to a very complex, and hugely expensive infrastructure. Done correctly, the mobile device you use will not be relevant, the data necessary to effect the payment will be in the form of individual authentication, not payment details.
      2. Absolutely, identity management will be critical, and other forms of thresholding will be either necessary (geo-location, spend limits, etc.), or nice to haves. While enrolment is often seen as a pain, done correctly it makes every form of security measure available seamlessly, which in turn will significantly increase the conversion rate by reducing the subsequent auth. burden.
      3. Mobile devices are inherently INsecure, which is why the sensitive data should never pass through them. Authentication only through mobile is far more secure, but nothing will be perfect. Thieves will find way of breaking it, but as in everything, they will start with the ones poorly written.
      4. Same way. Authentication is authentication, the medium is irrelevant.

      I agree, it will be effected through CNP means, but that is because the credit card auth. channels are fundamentally flawed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.