We've all heard the news, and after the initial panic had started to relax. But now, a new report suggests that 70 million additional customers may be affected by the Target (TGT 0.62%) data breach at the peak of the Christmas shopping season, Nov. 27 to Dec. 15.
According to Reuters, the FBI just sent a confidential memo to retailers warning them of more malware-based data breach shenanigans on the horizon. Here's the issue. If hackers can use a "memory-parsing" malware to steal sensitive customer data from Target, the number three retailer in the U.S., in all likelihood, they'll also go after other leading retailers, like Wal-Mart (WMT +0.02%) or Costco (COST 0.18%).
Most retailers were already nervous wondering if they would be the next Target, suffering a malicious cyber attack that compromises millions of customers' data and damages their bottom lines. The last big breach in 2007 cost the TJX Companies (TJX +0.11%) $130 million due to investigation costs and having to make legal settlements with banks, card issuers, and customers who joined class action filings.
PIN and chip security
In fact, the National Retail Federation, the industry's largest advocacy group, just sent a letter to Congress on Jan. 21 pushing for banks to adopt credit card security technologies that are tougher to crack. In the letter, NRF President and CEO Matthew Shay sang the praises of European-type credit card security that utilizes "PIN and chip" technology instead of the U.S. method of magnetic strip and signature security. PIN and chip cards are also known as EMV (Europay, Mastercard, Visa) cards.
PINs, unlike signatures, can be encrypted so that data is extra secure even if criminal hackers access it. The letter pointed out that the U.K. had decreased fraud 70% by implementing this type of next-generation security, while in the U.S. credit card fraud is still on the rise.
According to Shay, this fraud cost retailers, along with their financial institutions, over $11 billion in 2012.
According to Verizon's 2013 Data Breach Investigations Report (DBIR), 24% of the data breaches took place in retail and restaurant environments. The DBIR also found that 92% of the attacks were by those outside a business. Hacking caused 52% of the breaches, while 40% also used some type of malware to perpetrate the data theft.
Cost of data breaches
In its 2013 Cost of Data Breach Study, the Ponemon Institute, an independent research group that studies privacy, data protection, and information security policy, found that malicious criminal cyber attacks cost U.S. companies about $277 per jeopardized record. Its research also indicated that a U.S. company could reduce the cost by $42 a record if it had an incidence response plan in place.
On the other hand, notifying victims and regulators within 30 days can actually increase the cost of the breach $37 per record for the company. Also, the cost goes up as the number of records affected by the data breach increases.
Unfortunately, with potentially 110 million compromised records, Target has a huge problem on it hands.
PI estimated the lost business cost averaged over $3 million for U.S. companies. This includes losing customers as a direct result of the breach, increased spending to replace those customers with new ones, and intangibles, such as loss of reputation and goodwill.
Obviously, the cost for Target will be much more and it could take some time to unravel the full impact of the breach. Some estimates are that the damage will run in the hundreds of millions once everything is settled, including class action suits.
So why are retailers dragging their feet?
Many retailers have been nervous about the transition due to the cost of setting up a new credit card infrastructure. Javelin Strategy and Research estimates that the cost of implementing the EMV system would run $8.6 billion. Merchants would take on the bulk of the cost, $6.75 billion, for deploying new POS terminals. That's $400 to $600 per unit. The cost of issuing new cards would fall on card issuers and is estimated to run about $1.4 billion. $500 million would go toward updating ATMs to accept the new cards and ATM owners would cover this outlay.
Card networks, like Visa and MasterCard, have set a deadline of October 2015 for retailers to migrate to the pin and chip system. Otherwise, they will hold the retailer liable for disputed credit card charges.
It took Canada over seven years to implement the EMV, and the U.S. implementation is more complex. David Hogan, executive technology advisor for the National Retail Federation, predicts it could take 10 or more years in the U.S.
Wal-Mart leads the charge
In May of 2011, Wal-Mart's senior payment director, Jamie Henry, told a Smart Card Alliance audience that the number one retailer had already bought POS terminals equipped for EMV for its more than 4,000 stores in the U.S. As the leading retailer in the U.S., Wal-Mart has the financial resources to transition to the EMV.
Unfortunately, other retailers may not be in the same position, and the migration could take a bite out of earnings and profitability, adding substantial equipment and financing costs. Some retailers have already made equipment purchases; others have not.
The takeaway
So as you review company financials, factor in the extra expenses associated with the move to EMV, as well as any costs, like credit card fraud, that may decrease. Also be aware that if a company does not move to the EMV, it's taking on increased liability for credit card disputes and potential lawsuits associated with the liability of data breaches.
Leading retailers quick to implement the next-generation security technologies should benefit from more customers and revenue later, especially if more high-profile cyber attacks come to light.
Another angle? Companies such as VeriFone (PAY +0.00%), a leading POS terminal provider, stand to benefit from increased investments in EMV. In fact, VeriFone's stock jumped 25% after the Target data breach.
