Page 10 - gs140502
P. 10
News
ChapterTitle
Target breach may It has been reported that the source of the Target breach
was an email phishing attack on Target's HVAC vendor
be U.S. EMV catalyst and that Target's security team overlooked red flags that
could have minimized the effects of the breach.
Bycroft equated what happened at Target to the theft of
he fallout continues from the 2013 holiday- an expensive and well-maintained sports car. "There's a
season data breach at Target Corp. But a relative spare key to this car and it's hanging on the hook in the
bright spot from the breach, in which an esti- kitchen," he said. "What happens is the cleaners come in
T mated 100 million card accountholder details … and take it. And that's what happened with Target."
were compromised, is that the sluggish transition of the The company may have been Payment Card Industry Data
U.S. payments infrastructure from a mag stripe-based to a Security Compliant, but human error and opportunity
Europay/MasterCard/Visa (EMV) -based system seems to circumvented security, something that EMV could not
have picked up steam. have prevented, he said.
Target's costly delay
In late April 2014, Target appointed Bob DeRodes to helm
the brand's EMV transition. As Executive Vice President Ironically, Target initiated a previous transition to EMV in
and Chief Information Officer at Target, DeRodes' job the early 2000s. Mansour Karimzedah, Managing Director
includes overseeing the push of the retailer's entire and Chief Technology Officer at the SCIL-EMV Academy,
REDcard portfolio to EMV, months in advance of the card remembers it well. "We all said, 'Wow, now that Target
brands' October 2015 deadline. At that time, fraud liability is going EMV, everybody else will," he noted. "But after
in the event of a data breach will shift to the weakest link awhile, maybe a year, less than a year, they stopped that
in the payment transaction chain, which many expect will project and said they really didn't need EMV in the U.S."
be merchants who are not EMV compliant.
Karimzedah believes that if Target had gone to EMV back
Target said that by early 2015, its branded credit and debit then, the 2013 breach could have been minimized. He
REDcards would be enabled with MasterCard Worldwide's said when EMV is initially implemented, chip cards still
chip-and-PIN-based EMV solution and its existing co- come with mag stripes, so the cards can be used to make
branded cards would be reissued. Target also said new purchases on legacy POS systems that only accept mag
EMV-compliant POS terminals would be installed in all stripe-based payments. But when such cards are used,
of its 1,797 U.S. outlets by September 2014. Target has transaction data indicates the cards are chip-based. Such
earmarked $100 million for its push to EMV. is not the case when the cards are only enabled for mag
stripe, according to Karimzedah.
Meanwhile, the May 5, 2014, resignation of Target's Chief
Executive Officer, Gregg Steinhafel, may not have been When the Target hackers took the stolen payment data
entirely driven by the breach. Target's fourth quarter and encoded counterfeit cards on mag stripe cards,
2013 profits plummeted 46 percent, seemingly in direct there was no way for Target to differentiate between the
consequence to the breach. However, Target's business counterfeited mag stripe cards and the original mag stripe
model appears to be under pressure from such growing cards. But if the cards had been EMV-enabled at the outset,
trends as omnichannel shopping and showrooming. Target could have more easily identified the bogus cards
A change at the top can be seen as a response to as fraudulent and quickly have stopped the data theft,
macroeconomic forces. Target Chief Financial Officer John Karimzedah said.
Mulligan stepped in to serve as interim President and
CEO. EMV activity picking up
The case of a spare set of keys The SCIL-EMV Academy is offering its QuickStartEMV
platform that allows issuers and processors to migrate to
Despite Target's accelerated EMV timetable and EMV chip and PIN technology without having to replace
management changes, the massive Target data breach that
occurred at the height of the 2013 holiday shopping season
remains a dark shadow over the company.
Despite Target's accelerated EMV
John Bycroft, Executive Vice President at U.K.-based timetable and management changes,
fraud specialist Insider Technologies Ltd., applauded the massive Target data breach that
Target for stepping up its transition to EMV. However,
he believes EMV would not have prevented the breach. occurred at the height of the 2013
"Implementation of EMV by Target would not in any way, holiday shopping season remains a
shape or form prevent from happening what previously
happened," Bycroft said. dark shadow over the company.
10
ChapterTitle
Target breach may It has been reported that the source of the Target breach
was an email phishing attack on Target's HVAC vendor
be U.S. EMV catalyst and that Target's security team overlooked red flags that
could have minimized the effects of the breach.
Bycroft equated what happened at Target to the theft of
he fallout continues from the 2013 holiday- an expensive and well-maintained sports car. "There's a
season data breach at Target Corp. But a relative spare key to this car and it's hanging on the hook in the
bright spot from the breach, in which an esti- kitchen," he said. "What happens is the cleaners come in
T mated 100 million card accountholder details … and take it. And that's what happened with Target."
were compromised, is that the sluggish transition of the The company may have been Payment Card Industry Data
U.S. payments infrastructure from a mag stripe-based to a Security Compliant, but human error and opportunity
Europay/MasterCard/Visa (EMV) -based system seems to circumvented security, something that EMV could not
have picked up steam. have prevented, he said.
Target's costly delay
In late April 2014, Target appointed Bob DeRodes to helm
the brand's EMV transition. As Executive Vice President Ironically, Target initiated a previous transition to EMV in
and Chief Information Officer at Target, DeRodes' job the early 2000s. Mansour Karimzedah, Managing Director
includes overseeing the push of the retailer's entire and Chief Technology Officer at the SCIL-EMV Academy,
REDcard portfolio to EMV, months in advance of the card remembers it well. "We all said, 'Wow, now that Target
brands' October 2015 deadline. At that time, fraud liability is going EMV, everybody else will," he noted. "But after
in the event of a data breach will shift to the weakest link awhile, maybe a year, less than a year, they stopped that
in the payment transaction chain, which many expect will project and said they really didn't need EMV in the U.S."
be merchants who are not EMV compliant.
Karimzedah believes that if Target had gone to EMV back
Target said that by early 2015, its branded credit and debit then, the 2013 breach could have been minimized. He
REDcards would be enabled with MasterCard Worldwide's said when EMV is initially implemented, chip cards still
chip-and-PIN-based EMV solution and its existing co- come with mag stripes, so the cards can be used to make
branded cards would be reissued. Target also said new purchases on legacy POS systems that only accept mag
EMV-compliant POS terminals would be installed in all stripe-based payments. But when such cards are used,
of its 1,797 U.S. outlets by September 2014. Target has transaction data indicates the cards are chip-based. Such
earmarked $100 million for its push to EMV. is not the case when the cards are only enabled for mag
stripe, according to Karimzedah.
Meanwhile, the May 5, 2014, resignation of Target's Chief
Executive Officer, Gregg Steinhafel, may not have been When the Target hackers took the stolen payment data
entirely driven by the breach. Target's fourth quarter and encoded counterfeit cards on mag stripe cards,
2013 profits plummeted 46 percent, seemingly in direct there was no way for Target to differentiate between the
consequence to the breach. However, Target's business counterfeited mag stripe cards and the original mag stripe
model appears to be under pressure from such growing cards. But if the cards had been EMV-enabled at the outset,
trends as omnichannel shopping and showrooming. Target could have more easily identified the bogus cards
A change at the top can be seen as a response to as fraudulent and quickly have stopped the data theft,
macroeconomic forces. Target Chief Financial Officer John Karimzedah said.
Mulligan stepped in to serve as interim President and
CEO. EMV activity picking up
The case of a spare set of keys The SCIL-EMV Academy is offering its QuickStartEMV
platform that allows issuers and processors to migrate to
Despite Target's accelerated EMV timetable and EMV chip and PIN technology without having to replace
management changes, the massive Target data breach that
occurred at the height of the 2013 holiday shopping season
remains a dark shadow over the company.
Despite Target's accelerated EMV
John Bycroft, Executive Vice President at U.K.-based timetable and management changes,
fraud specialist Insider Technologies Ltd., applauded the massive Target data breach that
Target for stepping up its transition to EMV. However,
he believes EMV would not have prevented the breach. occurred at the height of the 2013
"Implementation of EMV by Target would not in any way, holiday shopping season remains a
shape or form prevent from happening what previously
happened," Bycroft said. dark shadow over the company.
10
