The pre-Christmas data theft of millions of credit and debit cards used at Target may have shocked consumers, but the retail giant knew the threat was real and had pursued an innovative solution years ago.
In the early 2000s, the Minneapolis-based company installed “smart card” technology at all its U.S. stores, designed in part to thwart the kind of security breach that Target is now scrambling to contain. The company said it ultimately abandoned the three-year pilot because no other retailer adopted the technology, which put Target at a disadvantage because the emerging technology slowed down checkout times.
“We went out on our own and did something innovative and ultimately the industry didn’t keep pace with Target,” Chief Financial Officer John Mulligan said in a recent interview. “So there wasn’t a lot of benefit outside Target for our guests. And the in-store experience was adversely impacted because it was a slower checkout process.”
For smart cards to work, everyone needs to use the technology, Mulligan said. “The data breach hasn’t change our viewpoint on this at all. We have been advocates for moving to such a system for quite some time.”
The 19-day breach is among the country’s largest recorded data security breaches. It exposed the credit and debit card information of 40 million people who paid with plastic at U.S. Target stores between Nov. 27 and Dec. 15. The stolen information included all types of credit and debit cards, including Target’s own Redcard.
The breach underscores the difficulty retailers face in safeguarding consumer information at a time when companies like Target depend on such cards to drive sales and customer loyalty.
Target’s Redcard program, which offers 5 percent off each purchase and free Internet shipping, is a crucial component to the retailer’s strategy of getting consumers to frequently shop at Target stores and buy more stuff.
It also collects enormous amounts of consumer data, information Target can use to target consumers with specific offers based on past purchases.
“They have to protect [the Redcard],” said Joshua Carlson, a Minneapolis-based data privacy attorney who formerly worked at Best Buy. “It’s their secret sauce.”
Target first conceived of a proprietary “smart” credit card in the early 2000s. Such cards, which generated big profits, had long been a staple at department stores, and Target felt it was upscale enough to warrant a card of its own.
The original Redcard offered members 10 percent off on certain days throughout the year. Target also wanted to experiment with chip-based smart cards that could offer digital coupons based on a user’s purchase history stored on the chips. The smart card technology, which is used widely in Europe, also was considered safer than magnetic-striped cards.
Other retailers didn’t follow
Chip cards employed a feature called “dynamic data,” in which the system automatically alters the account information in a unique way each time a customer swipes the card.
That would make the card unusable to anyone but the customer. Target could also issue new accounts, establish authorized users, and change PIN numbers without reissuing the cards.
Target installed readers at all its stores, but ultimately pulled the plug because competitors stuck to the old system. And the technology made for slower checkout lines.
“They were ten years ahead of their time,” said Carlson, the privacy attorney. “Back then, you had to sign for each transaction. Think of the number of transactions per terminal per day at over a thousand stores.”
For the technology to succeed, “there has to be a massive, coordinated effort to move to chip-base cards,” Carlson said. “It’s valid Target tried, and it’s valid that they didn’t go ahead with it.”
Target went back to magnetic stripes and the Redcard eventually became a huge success, especially after it offered 5 percent off each purchase and the retailer extended debit cards to non-credit-card shoppers.
As both retailer and credit source on so many transactions, Target reaped the benefits of both worlds. It collected the interest and late-payment fees from unpaid credit card balances while generating more sales and customer loyalty.
In fiscal 2012, Redcard purchases made up 13.6 percent of Target’s sales, compared to 5.9 percent two years before. Kantar Retail, a consulting firm based in Boston, estimates that top card users spend an extra $3,000 or more per year. It also sees Redcard holders visiting Targets 21 more times a year than other customers.
But as the Redcard program expanded, Target knew customer data could be at risk.
“If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, our reputation could suffer and our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of Redcards,” the company warned in its most recent annual report.
Just a few days before Christmas, Target confirmed that the scenario had unfolded: Thieves stole account information by installing malicious software on the retailer’s checkout terminals. In the confusion and negative publicity that followed, some creditors canceled cards that had been used at Target, though Target CFO Mulligan said “well over 99 percent continue to keep their accounts.”
‘We remain very confident’
“The best thing we can do right now is to help our guests get through this and help them move on with their lives and move on with our business,” Mulligan said. “We remain very confident in the Redcard and its future.”
In the meantime, Target has been working on high-tech alternatives to cards. Target recently joined a new payments network called Merchant Customer Exchange (MCE) that is developing a smartphone-based “mobile wallet.” The group includes many of the nation’s largest retailers, including Richfield-based Best Buy Co. Inc., Wal-Mart, CVS and Sears.
Details are scarce, but MCE is working on a system that allows shoppers to use their smartphones to pay for purchases. In theory, this would prevent the type of theft that occurred at Target because the MCE system will store key customer data, like credit account information, in secure remote Internet servers, rather than on the internal systems of individual retailers.
“Everyone has been looking away from this issue for some time,” Carlson said. “Now the credit card breach is going to wake people up.”