Credit unions across the nation are moving up their EMV conversion timelines, considering more class action lawsuits against Target Corp. and calling on Congress to create rules requiring greater payment data security from retailers.
Those are ripple effects from the recent Target data breach that compromised more than 40 million credit and debit cards, including encrypted PIN data. The names and contact info of 70 million people was additionally exposed, Target said last week.
EMV-chip cards are designed to be harder to counterfeit than magnetic-stripe cards, and the card networks set an October 2015 deadline for most merchants to be ready to accept them. Those who miss the deadline face an increase in fraud liability.
The massive fraud attack against Target has many payments experts insisting that EMV-chip technology alone won't be the answer to significantly deter cyber payments crime in the U.S. Additional security measures are needed, they say, such as tokenization, a process for masking card data.
The Target breach has Florida Central CU making changes to its plans to be ready to meet the October 2015 deadline. CEO Laida Garcia says the $392 million CU plans to speed up the process to convert the card base to EMV.
"We don't have a target date for the [EMV] reissue, but will try to expedite the process as best as we can," she says.
Following the Target breach, FCCU did not mass reissue its debit cards. Instead, the credit union is closely monitoring its portfolio and working with members.
"We alerted members to the data breach and reissued cards for members who felt uneasy approximately 3,000. Only a handful of our accounts so far have actually shown signs of being compromised," says Garcia.
'Fuel The Fire Of EMV'
Andrew Tilbury, chief marketing officer for BluePoint Solutions in Henderson, Nev., says the Target breach will "definitely fuel the fire of EMV." At MidSouth Community FCU in Macon, Ga., CEO Roy Bibb says the $180 million CU has been so busy communicating with members and reissuing plastic that it has not had time to talk about moving up its EMV conversion. "It is worth a discussion, but we are not sure now if the Target breach will make us move up our timeline."
Caroline Willard, EVP of markets and strategy at CO-OP Financial Services in Rancho Cucamonga, Calif., points out that when the credit union reissues a large number of cards, it's worth considering reissuing with EMV. But Willard stresses that reissuing to prevent fraud loss in the aftermath of a breach is not always needed.
"If the credit union is doing a good job of fraud monitoring, working with members and their partners, reissuing is often not necessary," says Willard.
The $2 billion SAFE CU in North Highlands, Calif., was hoping to avoid a large reissue, as the move impacts service and too many reissues can compromise member confidence in the cooperative.
"We eventually decided to reissue on our cards," says CEO Henry Wirz. "At first we offered all members who called the option to reissue. We told them that unauthorized withdrawals were covered by SAFE. But when we saw the scope of the compromised cards as reported by a VISA CAM alert, we had to rethink our strategy. We think we have about 25,000 cards compromised."
Julie Conroy, research director for retail banking at the Aite Group in Boston, says she does not think many financial institutions will bump up their EMV migration due to uncertainty around debit network routing and exclusivity rules.
In July, U.S. District Judge Richard Leon struck down the new limits on swipe fees and the routing provisions under the Durbin rules. The Federal Reserve Board has appealed the ruling, and the case is expected to play out in the first half of the year.
"That uncertainty has slowed a lot of migration to EMV," observes Conroy. "Until that uncertainty is cleared up, I think we will see a cautious approach to EMV from financial institutions."
Conroy also says FIs won't rush to EMV now because many merchants, particularly small ones, are not EMV enabled. Also, chip technology would not have prevented Target's situation because EMV does not encrypt card data transmitted between the card swipe at the terminal and the acquirer of the transaction.
"EMV, however, would make it harder for these thieves to monetize the data theft making it much more difficult to produce counterfeit cards," Conroy notes.
But EMV would not prevent Target thieves from using the data for card not present fraud, say several analysts, many now favoring a layered approach to data security.
More Card Data Protection
Robert Hackney, president of CSCU in Tampa, Fla., sees the Target breach accelerating movement in the U.S. toward additional card-data protection measures.
"This will move up the demand for technology that will render compromised account data useless. That could be tokenization and also mobile," he says. "I am becoming increasingly encouraged about the security of mobile to prevent counterfeit fraud, like what occurred at Target."
Brandon Kuehl, product development architect at the Des Moines, Iowa-based The Members Group, and leader of the company's EMV operations team, notes that tokenization is effective against card-not-present fraud.
While it is unclear how tokenization would be executed in the U.S., he explains the security process avoids giving merchants the cardholder's 16-digit account number in favor of another number that reveals the account information only when the "token" is decrypted and the purchase goes through the authorization process.
"This eliminates the merchant from storing the 16-digit account information," says Kuehl, who adds that tokenization is a long way from being employed stateside. "Just like EMV, all of the players in the payments system have to buy in and come to agreement on standards."
The effects of the data compromise have also led to legal action, with Alabama State Employees CU in Montgomery, Ala., at the start of the year filing what appears to be the first class action by a financial services company against Target over costs from the breach.
SAFE's Wirz says it is possible his credit union could take similar action.
"We are asking both VISA and legal counsel about our ability to bring suit, and the benefits and disadvantages of joining a class action suit," explains Wirz. "The preferred approach for SAFE is to work with VISA through the rules as that minimizes our costs and may maximize our recovery. If VISA's solution doesn't appear adequate, we will then either file our own lawsuit or join a class action. We continue to believe that lawsuits are the last resort. Legal action always results in higher business costs."
Wirz says SAFE believes that in the absence of any federal laws to protect credit unions from merchant breaches, SAFE needs to continue working with VISA to see that the VISA rules provide the maximum amount of protection.
"That said, we are looking for a legislative solution for the long term that creates a federal standard to ensure merchant and merchant processors adopt a high level of data security consistent with the levels of security now found in banks and credit unions," Wirz says.
CUNA, backed by a growing data bank of CU costs from the Target breach, hopes to paint a clear picture to lawmakers of the data compromise's impact on CUs.
In late December CUNA introduced a data collection website where credit unions can keep a tally of their costs from the Target breach.
"Congress will be looking into this [data breach] in the next few months," says CUNA Chief Economist Bill Hampel. "When they ask us, 'What has been the effect on credit unions?' we will be able to tell them using nice, strong, rigorously collected data."
To that end, Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, reintroduced a data privacy bill last week and said on the Senate floor that the issue would be discussed in a committee hearing early this session.
Meanwhile, Senate Homeland Security and Government Affairs Committee Chairman Sen. Tom Carper (D-Del.), plans to reintroduce a measure to place retailers under some of the same data security requirements now followed by financial institutions.
Leahy's bill includes a provision to establish criminal penalties for willfully concealing a security breach of personal data when it causes economic damage to consumers.
Sens. Al Franken (D-Minn.), Chuck Schumer (D-N.Y.) and Richard Blumenthal (D-Conn) are cosponsors of the Leahy bill.