Target Corp. (TGT)’s massive data breach over the holidays made French security expert Olivier Piou more popular than ever with U.S. executives.
Piou, chief executive officer of security software and payment chip maker Gemalto NV (GTO), said he’s spent 60 percent of his time in the U.S. since the incident -- four times more than usual -- meeting with CEOs and lead directors who are worried about repeating Target’s mistake. This week, Target ousted its CEO, who has been criticized for moving too slowly to bolster the retail chain’s defenses after being warned that point-of-sale terminals were vulnerable to cybercriminals.
“Companies with massive amounts of data know now that they are exposed,” Piou said in an interview at Bloomberg’s headquarters in New York. “Nobody could forecast that Target could happen, but the fact that it did happen, there are no more excuses. It’s come to the board level.”
That hacker attack on Target compromised the personal data of millions of shoppers and has now increased the pressure on U.S. retailers and banks to end years of squabbling over costs and embrace a more secure payments system. The method, a chip-based technology called EMV, thwarts hacking better than magnetic strips and has been widely used in Europe and Asia for years. Amsterdam-based Gemalto is one of the largest providers of the chip-card technology.
Piou called the Target breach a black swan for the retail and payments industries, referring to the theory in which highly improbably events wreak havoc.
“Post-Target, every meeting I have now is not with the IT guys or the banking guys, it’s with the CEOs and frequently in the presence of the lead director, which shows that the problem has elevated to the top of the organization,” he said. “It’s a question of reputation. It’s a question of fiduciary duty.”
A 55-year-old engineer, Piou became CEO of the company after Gemplus International SA and Axalto Holding NV agreed to merge in 2005. Gemalto, which invented the smart chip used in bank cards and mobile phones, generated 361 million euros ($503 million) of its sales in the U.S. last year, about 15 percent of total revenue.
Gemalto’s shares had climbed 25 percent in the last year through yesterday, while Target dropped 18 percent.
The revelations of hacking attacks late last year at Target, as well as luxury chain Neiman Marcus Group Ltd. and arts-and-crafts retailer Michaels Stores Inc., have put the spotlight on a nationwide delay in embracing a more secure payment technology.
EMV -- a technology named for early backers EuroPay International, MasterCard Inc. and Visa Inc. -- is considered more secure because it creates a unique code for each transaction. Its chips makes data harder to copy than from the magnetic strips on most cards in the U.S.
Visa and MasterCard have given U.S. retailers and banks until October 2015 to adopt EMV -- in the form of chip-cards that either require a signature or a personal identification number -- or assume liability for some fraudulent transactions.
The U.S. has been slower to adopt the technology in part because of the expense to convert to EMV, according to Julie Conroy, research director at Aite Group focusing on payments, fraud and data security. It will cost banks and retailers about $10 billion to $11 billion to convert their hardware and plastics alone, and that doesn’t include software costs, Conroy said. Target has said it will spend about $100 million for registers that read the new cards and Target-branded smart-chip cards.
Of the 1 billion cards issued in the U.S., only about 2 percent have chips, Randy Vanderhoof, executive director of the industry association Smart Card Alliance, said in an e-mail. About 2 million EMV-capable point-of-sale devices have been installed in retail locations, making up about 20 percent of the total market, Vanderhoof said.
While catching up to the chip-and-signature or the chip-and-PIN technology used in Europe and Asia would be an improvement, Piou said American companies could leapfrog their counterparts by opting for contact-free payments through chips embedded in cards or mobile phones.
These work by bringing a chip -- via a card, smartphone, passport or other device -- within proximity of a data reader without the device ever leaving the possession of the consumer. Through “mutual authentication,” both devices would have to verify that the other is valid before a payment could be processed, Piou said.