Payments Views

Allen Weinberg

Is the Target Breach the Chernobyl of Payments?

Chernobyl is certainly at the top of the list of man-made disasters.  In light of recent events, I’ve been thinking that the Target breach has become the Chernobyl of the payments world.

As a group, we Americans never thought that much about payment security – we really didn’t have to.  We are protected by federal laws limiting our liability for lost/stolen cards, while at the same time, the card networks’ rules give us even better “zero liability” protection, and have educated us about that protection with hundreds of millions of dollars (if not billions) of TV ads over the years. 

Joe Shmoe Merchant from Whoknowswhere, Illinois wants your MasterCard account number for an ecommerce purchase?  No problem, you’re protected.  Give my card to a hot dog vendor on the street who swipes it though (or even keys it into) his smartphone?  No problem – mustard and relish please, and hurry up with my hot dog.  Put my Visa credit card on file with an airline that can’t even run its planes on schedule?  Sure, why not, it’s quite convenient.

Look at all the card issuers that have, over the years, tried to differentiate themselves based on security – Bank of America, Citi, and others have all tried it on and off, without much visible success in moving market share.

But after the Target breach, my sense is that things are changing.  I’m wondering if we, who unlike Europeans and others, can’t be bothered to use Verified by Visa and MasterCard SecureCode because “we’re protected anyway”, may be taking a different view of who we give our payment credentials to after “Payments Chernobyl” and what steps we’ll be willing to take to protect our accounts.

I say this because the Target breach is different than all the others – huge numbers of people affected coupled with unprecedented news coverage and congressional hearings.  We just didn’t’ see that with the TJ Maxx, Heartland, Global Payments, Hannaford Brothers, Michaels (twice), Marriott, and other breaches.

Collectively, these breaches have now affected virtually every cardholder in the U.S.  We are largely driven by convenience, and let me tell you, it sure isn’t convenient to have to log in or call all the places that store our card numbers for recurring payments. 

Sure, it’s no big deal getting a notice from my wireless carrier, cable company, and favorite eRetailer when the auth request fails, but what about all the other places we forget about?   My son was thrown off a San Francisco bus when my card of file was declined and his monthly contactless bus pass didn’t renew (and yes, to my fellow payment geeks, I haven’t forgotten about the networks’ account updater services, but we all know they are far from a panacea).

So I’ve been thinking a lot about whether U.S. consumers will alter their payments behavior after Payments Chernobyl, and if so, how.

Anecdotally, I’ve been hearing about people now preferring signature versus PIN debit, and of other people who are switching from signature debit to PINs.  I’ve spoken to people who are not worried too much about leaving a credit card on file (“hey, it’s the bank’s money anyway”) but are now quite reticent to put a debit card on file (“sure, I’ll get the money back, but my rent check will be bouncing in the meantime”).  And how about those people who have a Target or another merchant’s decoupled debit card – you know, the ones that have your checking account number on file so that they can route the purchase thought the ACH?  I suspect a number of those folks are watching their checking accounts pretty closely now.

So I’m reaching out to everyone, asking you to let me know what you’re thinking, seeing in your own data, and hearing.  Have you changed your payments behavior after Payments Chernobyl?  Changing your use of PIN vs. signature debit?  Using credit vs. debit more?  Rethinking whom you say its OK to keep your account number on file for faster checkout or recurring payments?  Will your “chip and PIN” or “chip and signature” card be top of your wallet when EMV comes to market? Or even, and I hate to say this, using cash more?

I’d love hear from you – please track me down at Allen@Glenbrook.com!

8
Leave a Reply

avatar
5 Comment threads
3 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
6 Comment authors
Ben KatzJasonAllen WeinbergDavid SnyderWilliamson Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Colin Kerr
Guest

A compelling article. 20 years ago I moved to the US from the UK. I was stunned then that store checkout clerks rarely validated the authenticity/signature of the cardholder, and that people lend credit/debits cards to family members to go shopping. I just had my debit card renewal arrive, the signature strip was worn off 2 years ago and perhaps 5 stores/restaurants asked me to show ID. If that’s still the attitude to physical cardholder authentication, perhaps ‘Payments Chernobyl” (hopefully not something worse) really is the force to enact technical security and more effective solutions.

Jason
Guest
Jason

Prediction: consumer behavior change will be minimal, possibly negligible. A couple of data points – Target’s top-line sales impact was small. First Data’s Spendtrend data was relatively stable despite a miserable January for retail due to weather. 2 theories. 1) People don’t think about payments when shopping – it’s a passive behavior. Their mind is on shopping (while juggling a smartphone and possibly a kid or two). 2) Debit is not a choice for most debit users. Many don’t have the credit and/or they have a deep and emotional fear of credit card debt. Those using credit cards with rich… Read more »

Williamson
Guest
Williamson

Interesting take on this situation, data security is crucial to retain customer confidence especially in the retail industry. Banks and payment processing companies will have to collectively take responsibility for incidents such as this and take adequate measures to ensure they have a secure and protected payments system. I work for McGladrey and there’s a newsletter on our website with great information for banks on optimizing existing technology and other valuable insight into improving overall performance.

David Snyder
Guest
David Snyder

Personally, I’ve cut back on using my debit cards at stores. It just seems prudent to minimize the exposure of my checking accounts. As for public perception of the Target incident, I expect it to recede into the background fairly quickly. A few people will stay away from Target for a while, but most will find that convenience and price will drive their behavior more than concern over something that is unlikely to have much effect on them. As for merchants, I expect some of them to increase their vigilance, but many will only give lip-service to the topic. The… Read more »

Ben Katz
Guest

Since Target’s biggest sin here was relating to insecure servers, and since I know of no technology that replaces common sense, I don’t believe payment security is ever realistic. I do wish EMV weren’t the proposed way to solve this. 1)It doesnt appear to protect us when shopping online (VbyV or MCsecurecode should be required for online, as you suggest). 2)It seems so 1980s solution. Do you see any ways to use “last known location of cell phone on my person” and mapping that to signature transactions as a fraud screen? Why cant we find a software solution to this?… Read more »