Retail giant Target Corp.'s headache-inducing data breach brings to mind the 1982 Tylenol poisoning crisisan event that drug maker Johnson & Johnson handled with such aplomb that it restored public confidence in its medicine, altered the way retailers handle product safety and established itself as the gold standard for crisis management.
Johnson & Johnson achieved all this with a relatively simple trick: introducing tamper-proof bottles. The question Target faces is whether it can pull off a similar feat by introducing tamper-proof cards.
Even before the massive Target breach, the U.S. payments industry was on the path to replacing the aging magnetic-stripe card with a counterfeit-proof EMV "chip and PIN" version. Merchants, banks and processors are also considering options such as encryption and tokenization, which scramble or eliminate card data as its swiped.
U.S. merchants are currently under pressure from major card brands like Visa and MasterCard to accept EMV-equipped cards by October 2015. Target has indicated it plans to deploy EMV-capable terminals six months ahead of schedule. Some financial institutions have also sped up EMV card issuance plans in the wake of the Target breach.
But is EMV really the answer? Its main security benefit is deterring duplication of physical cards. The chips are of no use in so-called card-not-present transactions involving online and mobile commerce. Whats more, a U.S. court ruling has muddied the legal landscape for use of EMV chips with debit cards and is likely to postpone adoption in this giant market.
EMV alternatives, including encryption and tokenization, had their own Tylenol moment four years ago. Thats when processor Heartland Payment Systems was hit with a massive data breach. Heartland even referenced the Tylenol incident in marketing end-to-end encryption services. Yet the Heartland breach failed to spawn a security revolution big enough to prevent similar crises at Target, Neiman Marcus and other retailers.
That raises the question: Will this time be different and Target become the payment industrys Tylenol?
Maybe. Before the Target breach, many merchants were apparently willing to delay or ignore the card networks' deadline for adopting EMV and ready to face the consequences. Now, even merchants who remain unsold on EMV as cost-effective security may view incorporating the technology as unavoidable.
For their part, Visa and MasterCard have not sped up their timeline for EMV adoption in the wake of the Target breach. Meanwhile, some of their bank partners are already looking past EMV to more higher-tech approaches to payments security.