Target's recent commitment to fast-track its conversion to EMV smartcard technology may not trigger an avalanche of U.S. retailers doing the same, but Target's move seems to have become a catalyst to resolve the payments industry's other issues around EMV adoption.
"It's a very positive thing for the industry that people are talking about collaboration and different groups are getting together to talk about how we can work together to accelerate EMV," says Ellen Richey, Visa's chief enterprise risk officer and chief legal officer.
The U.S. has steadily been moving toward EMV-chip cards to improve security over aging magnetic-stripe cards. Visa and the other major card networks have set October 2015 as the deadline for most merchants to be able to accept EMV cards. Those who miss the deadline face an increase in fraud liability.
Prior to the highly publicized 2013 holiday shopping season breaches at Target and Neiman Marcus, payments companies sometimes tended to "work against each other" on major issues facing EMV migration, Richey adds.
In addition to Target's commitment to accept EMV cards six months ahead of schedule, some banks and credit unions are openly discussing their own plans to speed up EMV adoption or even get a head start on deploying other emerging security methods.
Even if the entire payments industry isn't demanding a more aggressive timetable for EMV, there is "a definite acceleration over what would have happened were it not for this new level of interest," Richey says.
The data breaches have served as a "further proof point" that the migration to EMV in the U.S. can help alleviate fears of counterfeit cards being produced in the aftermath of breaches, says Carolyn Balfany, MasterCard's senior vice president and group head of U.S. product delivery.
Issuers and merchants were already working toward migration over the past two years, but progress stagnated over the uncertainty after a federal judge's ruling questioning how EMV debit routing is handled under the constraints of the Durbin amendment, Balfany says.
The debit routing issues remain unresolved, however the Target breach led to a "largely common agreement across the market that it is now time to move to EMV, independent of those possible changes in the future," Balfany says.
"What we see then is each independent organization making their own decisions about their migration paths, but largely all of them saying we are going to migrate now," Balfany adds. "If we have to come back and make adjustments in the future, we will do so, but we are not going to hold up because of them."
Investment research firm Morgan Stanley told investors last week that the Target and Neiman Marcus breaches were likely to accelerate the U.S. EMV conversion, keeping terminal makers and secure-chip plastic card developers busy.
But none of the current rhetoric hides the fact that EMV's absence was not a factor in the Target breach, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"Target is doing a masterful job of distracting attention away from the fact that they were not using commercially available security products that would have protected data, and they are deflecting attention over to EMV," Conroy says.
Target has confirmed that hackers entered the company's payment system through stolen vendor credentials and infected it with point-of-sale malware. Security experts have asserted that Target lacked tokenization, which protects card data by replacing it with a secure token, as well as firewall protection within its various system networks.
"They made some public relations missteps at the outset, but they have done a good job of making this not their problem, but an industry problem," Conroy says.
In that regard, Target is taking a page out of the Heartland Payment Systems' playbook, when the processor "became champions of end-to-end encryption, even though that would not have helped stop the breach there either," Conroy says.
Still, Target's post-breach moves are creating dialogue that is pushing the EMV conversion ahead after the payments industry "hit the pause button because of Judge Leon's decision," she says. "I don't think this is going to start a mass stampede to EMV in the merchant community, but issuers are moving, though not full speed ahead."
What's more important, Richey says, is that breaches have brought about a new spirit of cooperation.
For the past two years, the industry has groped with how to code EMV debit cards to comply with the Durbin amendment's requirement of having at least two or more network routing options.
The debate in the U.S. has centered on whether a card brand or an independent company could establish and manage a common application identifier (AID) for routing debit transactions. Visa and MasterCard have offered use of their technology, while the independent debit networks have embraced Discover technology and formed their own company, the Debit Network Alliance.
"All of the parties are much more motivated now to move toward something with the common AID that really meets everybody's needs, rather than standing on a principle," Richey says. "I think that we will see some movement on that in the very near future to remove any type of roadblock that is coming out of the debit side."
Visa continues to offer its common AID as the best for the industry, "but we also feel that the debit networks have their concerns that we need to make sure are addressed as part of our adoption," she adds.
The Debit Network Alliance did not respond to inquiries prior to deadline.
Balfany did not want to speculate about the Debit Network Alliance's approach in the aftermath of Target, but says both card networks' technology meet all of the requirements defined by the issuing groups and merchant groups that have studied the topic as part of the EMV Migration Forum.
Even before the Target breach, many terminals in the U.S. could be considered "world terminals," meaning they are ready for EMV cards and future mobile payment technology, Balfany says.
"As merchants have gone through regular upgrade processes, they have begun to get terminals that are capable of doing contact chip, contactless and magnetic stripe," Balfany says. "That's the definition of 'world,' because the terminal can do it all."