By Steve Rowen, Managing Partner
9/9/2008
Understandably tight-lipped since enduring the largest data breach in retail history, part of TJX’s settlement with the card brands last year requires the retailer to perform more “public service”-type work to raise awareness and conversation. Now the retailer is speaking out publicly about the dangers of not keeping customer information (namely payment data) more secure. As a result, Vice Chairman Donald C. Campbell (the third highest executive in the TJX organization) gave an interview to the Boston Globe last week.
What is TJX touting as the “cure” to the data breach blues? Chip and PIN.
Retailers here in the US know Chip and PIN System as the way European retailers have avoided they level of card security-related problems we’ve had for years. At its simplest, each individual credit card houses a computer chip. When swiped, the transaction can only be completed once the personal identification for that specific chip/card is entered. Unfortunately, retailers here in the US also know that this is a technology that is well beyond the grasp of economic feasibility.
Campbell told the Globe’s Ross Kerber, “Criminals, I believe, are focusing on the countries that haven't added that higher level of security.” Agreed. But who’s going to pay for it?
The estimated cost of introducing Chip technology to existing cards is $2 a card (there are already more than a billion active cards in the US). Will the payment card industry be eating that cost? But for the PIN part of it, the card readers that US-based retailers currently have in their stores will not work. Hence, in order to support the format, each individual card reader must be replaced with a new unit, which can run up to $500 apiece. And while this presents a great opportunity for Verifone, Hypercom and other manufacturers, it’s fairly safe to say that this is an unreasonable cost for most retailers to endure. Just to give some scope of this cost, TJX alone has 12 million readers it would need to replace.
When asked how the migration could be funded, Campbell suggested “card companies, banks, and retailers share the costs of upgrading to a ‘Chip and PIN’ system.”
Now, all of us here at RSR have made it a point to never pick on TJX. While we’ve been banging on the customer data security drum as loudly as we can, we have always maintained that the crime against that organization and its customers was not out of the realm of possibility for the majority of retailers. Quite simply, they were unlucky. In fact, even today, after all of the in-depth investigation, Campbell told the Globe that TJX “believes its security was comparable to most other major retailers and generally better” than most everyone smaller.
However, while we agree with Mr. Campbell that Chip and PIN would be a tremendous advancement for the US retail industry (and its customers), we have to wonder where this messaging is coming from.
Retailers are hurting to stay afloat right now. Many are still trying to figure out the “real” reasons to invest in PCI Compliance measures. And now the uber-victim of the retail industry emerges (with a slight nudge) to pass along a message that Chip and PIN is the answer, the cost is going to be “shared,” and retailers should get excited about paying very real money to bail the card brands’ component of one aspect of a very real problem?
| 
