The massive data breach at Target over the 2013 holiday season, which affected over 110 million customers, is slated to have significant repercussions on the payment community within the United States. The National Retail Federation’s (NRF) reaction to this infringement has been to lay the blame on retailers’ banking partners that continue to issue magnetic stripe payment cards. The bankers on the other hand, hold the retailers responsible, citing their inefficiency in securing and managing in-store systems. There is now considerable talk of a switch to the purportedly more secure EMV chip-and-pin based technology. MasterCard, American Express and Visa have all announced their intention to shift the liability for fraudulent charges onto retailers and banks, starting October 2015, if they do not upgrade their payment terminal hardware to those that accept smart cards. Unlike Europe (and elsewhere), businesses in the US continue to almost exclusively accept magnetic stripe cards. The primary deterrent to increased adoption of contactless payment in the region has been the potential overhaul of existing infrastructure, which would necessitate steep investments from card issuers and enterprise end users. This includes new terminal hardware, and distribution of chip-based credit/debit cards. In the past, payment terminal vendors have consistently indicated to VDC that these new technology upgrade investments are highly unlikely in the US unless card-related fraud increases. VDC believes this breach (and the ones that followed at Neiman Marcus and Michaels) could well be the tipping point for retailer adoption.
The focus of the conversation has now shifted to the world's two largest payment terminal vendors, VeriFone and Ingenico. According to VDC’s 2011 study on the market, these companies accounted for more than 75% of the overall market share in the Americas. Potential sales and upgrade opportunities arising out of this crisis have significantly driven up these vendors’ stock prices. VeriFone, in particular, has much to gain, with industry analysts such as Jefferies and JP Morgan upgrading their outlook on the beleaguered company. VeriFone was once viewed as a solid growth stock, well-positioned to capitalize on increased global credit card penetration. In an attempt to shift its business model from being hardware-centric to generating a recurring revenue stream via software and services, VeriFone lost its way via expensive acquisitions and, in the process, hampered relations with some of its leading clients. At the same time, VeriFone is also facing stiff competition from the likes of Square and PayPal, particularly among the micro-retailing community. This major data and security snafu that compromised consumers’ personal information might just breathe new life into the company. VeriFone has the distinct advantage of being a globally renowned payment company with a well-regarded legacy of providing secure solutions in compliance with the latest PCI mandates and government regulations. The company could potentially see a prolonged spike in hardware sales, especially as businesses in the US switch to accepting contactless smart cards.
Retailers and their payment partners can no longer push off this necessary infrastructure investment especially as they seek to assuage irate consumers’ privacy concerns. However, such a monumental change requires extensive collaboration between retailers, banks, card issuers, and payment processors. Increased public scrutiny, large-scale security breaches, and upcoming regulatory deadlines will certainly help get these ecosystem participants on the same page.
(VDC’s Steve Hoffenberg, Director of M2M Embedded Software & Tools, blogged about the data breach here.)