Hadley Malcolm

USA TODAY

After a spate of data breaches in the past year heightened consumers' fear of personal information being stolen and led retailers to beef up security, shoppers may not be that much safer this holiday season.

Highly anticipated chip card technology that helps make in-store transactions nearly impossible to counterfeit still isn't in most stores and won't be widely available until next year. Breaches in the past year including at Target, Kmart, Home Depot, and Walgreens led to a heightened level of security from retailers and banks when it comes to handling customer data. Though fraudsters haven't slowed down: the United States Postal Service disclosed Monday that its computers were hacked and that employee and customer data were compromised.

In the wake of breaches, companies pledged to speed up issuance of chip cards and adopting the readers required to process the transactions. But Walmart is the only major retailer currently accepting chip cards in stores. The cards include a microchip that creates single-use codes for every transaction instead of relying on the card number, making the data useless if it's stolen.

• Target, whose breach affected 40 million cards and up to an additional 70 million customer accounts, now has chip card terminals in all stores. But they won't be upgraded to the software that allows them to accept chip card transactions until next year. Target-branded credit and debit cards will be reissued as EMV cards in 2015. EMV stands for Europay, MasterCard, and Visa, the three companies that developed a proprietary chip card and set certain standards for the card.



• Home Depot discovered a breach in September that compromised 56 million cards and 53 million email addresses. Stores have chip card terminals but won't have the necessary software to accept chip cards until next year.

Banks are still primarily only issuing chip cards to customers whose card was lost, stolen, or expired, says Doug Johnson, senior vice president of risk management policy at American Bankers Association. Out of the 1.2 billion credit and debit cards issued in the U.S., about 100 million are expected to be EMV by the end of 2014, says Carolyn Balfany, senior vice president of product delivery and EMV at MasterCard.

But there's still a question of whether consumers care all that much about card security. While data show shoppers worry about their information being stolen, that fear may not affect purchasing decisions. A National Retail Federation holiday shopping survey of 7,500 people found that nearly 42% feel neutral when it comes to whether data breaches will affect how they shop. Less than 20% said breaches were "somewhat" or "very likely" to influence how they shop.

Greg Derderian, a pharmacist in Sellersville, Penn., continues to shop at Home Depot despite the fact that his card information may have been stolen during the recent breach. He says his bank quickly issued him a new card. The 36 year-old has had his credit card information compromised multiple times in recent years.

"It's not fun but in today's age I think it's almost turning into a norm now," he says. "Everybody's getting something stolen. It's not stopping me from going and shopping."

In the meantime, security experts stress that there are other ways of mitigating fraud besides relying on EMV technology, and that EMV shouldn't be viewed as a sweeping solution.

Rob Sadowski, director of technology solutions at information security firm RSA, says he's seen an increased investment on retailers' part in security over the past year, such as on transaction monitoring and stronger authentication technology that relies on more than a username and password for a customer to make a purchase.

Home Depot was already in the process of increasing security when its breach was discovered, says spokesperson Stephen Holmes. Though it sped up the rollout of an enhanced encryption technique that scrambles card data from the second it's swiped and keeps it encrypted as the data go through the approval process. Other encryption methods rely on encrypting data only as it lives on a retailer's network or hardware, says Mark Bower, vice president of product management at security company Voltage, which helped install Home Depot's enhanced encryption.

Many large merchants are adopting enhanced encryption, says Bower, whose company has "seen a surge of interest...particularly after the Target breach last year."

MasterCard and Visa are starting to use a method called tokenization for mobile and online payments, where chip cards are irrelevant. The process assigns a different account number, or token, to the debit and credit cards in someone's mobile wallet or online shopping account and uses that to process the transaction instead of the original card number.

"It's a layering effect," Balfany says. "Yes, EMV and chip is terrific also. But that doesn't mean we're going to stop any of these other technologies we've got integrated."

Though none of the security measures negate the fact that just as retailers may be more prepared, fraudsters are also looking forward to the busiest shopping period of the year, when more information is ripe for the taking and there's less likelihood of a breach being noticed, Sadowski says. Yet another retailer's system being hacked is likely inevitable.

"I would not be surprised," Bower says, "if we still saw a significant breach over this holiday period for an organization that hasn't taken these steps."



