Target has announced more steps in its efforts to regain trust with its shoppers in the wake of a massive data breach.
The Minneapolis-based retailer said Tuesday that it named outsider Bob DeRodes, who has 40 years of experience in information technology, as its new chief information officer.
DeRodes has been a senior information technology adviser for the Center for CIO Leadership, the U.S. Department of Homeland Security, the secretary of defense and the Department of Justice. He will assume oversight of the company’s technology team and operations, effective May 5.
The nation’s third-largest retailer also announced that MasterCard Inc. will provide its branded credit and debit cards with the more secure chip-and-PIN technology that it says will be coming out next year. That will make Target the first major U.S. retailer that will have its own branded cards with this technology, experts say.
“Establishing a clear path forward for Target following the data breach has been my top priority,” Gregg Steinhafel, Target’s chairman, president and CEO, said in a statement. “I believe Target has a tremendous opportunity to take the lessons learned from this incident and enhance our overall approach to data security and information technology.”
Target said it is continuing its search for a chief information security officer and a chief compliance officer.
Target is still dealing with fallout from a massive breach that has hurt profits and sales and its reputation among shoppers worried about the security of their personal data. The company disclosed Dec. 19 that a data breach compromised 40 million credit- and debit-card accounts between Nov. 27 and Dec. 15. Then, on Jan. 10, it said hackers stole personal information — including names, phone numbers, and email and mailing addresses — from as many as 70 million customers.
In the wake of the breach, Target has been making changes, including overhauling some of its divisions that handle security and technology. The company has also been accelerating its $100 million plan to roll out chip-based credit-card technology in all of its nearly 1,800 stores.
The new payment terminals will be in the stores by September, six months earlier than planned, Target reiterated. But the company said Tuesday that beginning in early 2015, Target will be able to accept these payments from all of its Target-branded credit and debit cards. Existing Visa Inc. cards will be reissued as MasterCard co-branded chip-and-PIN cards. Shoppers will be required to type in their personal identification numbers.
Target had long been an advocate for the widespread adoption of chip-and-PIN card technology but hadn’t outlined specific plans until now for its own branded cards.
Jason Oxman, CEO of the Electronics Transaction Association, which represents the payments-technology industry, described the steps as “significant.”
During a hearing on Capitol Hill on data security, Target CFO and executive vice president John Mulligan said its branded cards accounted for 15 percent of all the cards compromised. Of Target’s various types of cards, only the REDcard Visa credit card has seen a small increase in fraud, about a 0.1 percent uptick.
While magnetic strips transfer a credit-card number, chip cards use a one-time code that moves between the chip and the retailer’s terminal, resulting in data that is useless except to the parties involved. They’re also regarded as nearly impossible to copy, at least for now. The technology has been a standard in Europe and other regions for years.
But naysayers say that the protections chips provide only go so far, noting that they don’t prevent fraud in online commerce, where consumers still have to enter their credit-card numbers. Some also point to other technologies as better long-term solutions.
In March, Visa and MasterCard announced plans to bring together banks, credit unions, retailers, makers of card-processing equipment and industry trade groups in a group that aims to strengthen the U.S. payment system for credit and debit cards. The initial focus of the new group will be on banks’ adoption of chip cards.
That comes ahead of a liability shift set to kick in in October 2015. When that occurs, the costs resulting from the theft of debit- and credit-card numbers will in most cases fall on the party involved with the least-advanced technology.