Taking the position of "better late than never," Target (NYSE:TGT) is accelerating its $100 million investment into chip-enabled smart card technology to help rebuild consumer trust after the hacking attack last November and December.
In testimony before Congress the other day about the data theft, the retailer admitted it could likely have done more. While it's supposedly asking "hard questions" of itself over how it could have prevented the theft of personal data from 40 million customers, Target's CFO said they've already installed 10,000 chip-enabled payment devices in its stores with a complete rollout expected to be achieved by September, six months ahead of schedule. It also anticipates shipping new chip-enabled Target REDcards by early next year as well as being able to accept all smart cards by then. Use of smart card technology elsewhere in the world has reportedly led to a significant decline in losses related to in-store fraud.
Although a welcome advance, Target explored using chip-enabled technology in the early 2000s but abandoned the project because no one else went along. While requiring the use of four-digit PINs to complete a transaction provides additional levels of security, it also tends to slow down checkout times. Now, as Target reels from the hack attack, retailers in general are far more receptive to deploying the technology.
Smart cards use microprocessor chips that encrypt personal data shared with sales terminals installed by merchants. If the smart card's data is stolen, the information is essentially useless to the hacker because the chip is absent.
Not that smart cards aren't an improvement over the current system, but Target had software in place from FireEye to monitor its systems and alert it to any intrusions. And the system worked; it only fell down because the retailer ignored the warning signals it was given. Although it amounts to catching the burglar after he's entered the house rather than preventing him from gaining access in the first place, the debacle could still have been limited.
In addition to the 40 million customers who had their data stolen, another 70 million had partial data taken. While there is likely a good amount of overlap between the two -- Target estimates at least 12 million customers may sit in both camps -- it still represents a huge universe of compromised accounts.
The new measures aren't exactly a case of too little, too late for Target since it does need to restore confidence in its REDcard program, which accounts for about 20% of all purchases made in its stores, but technology only goes so far. It's only dumb because Target is belatedly deploying capital to restore consumer trust it allowed to be needlessly tarnished. Had it had the right people in place beforehand, it wouldn't find itself having to play catch-up with technology protections while leaving itself open to billions of dollars in liability lawsuits.