Home Depot: U.S. credit card firms slow to upgrade security
ATLANTA – Visa and MasterCard are using security measures prone to fraud, putting retailers and customers at risk of hacking attacks by cyber thieves, The Home Depot Inc. says in a new federal lawsuit.
It’s the latest giant retailer to raise serious concerns about security with its lawsuit filed this week in U.S. District Court in Atlanta. Last month, Arkansas-based Wal-Mart Stores Inc. sued Visa Inc. over similar issues.
Atlanta-based Home Depot says new payment cards with so-called “chip” technology, rolled out in the U.S. in recent years, remain less secure than cards used in Europe and elsewhere in the world.
Even with chips, U.S. cards still rely on customers’ hand-written signatures for verification, rather than more secure Personal Identification Numbers, or PINs, Home Depot maintains.
“Regardless of how the cardholder’s identity is confirmed, the chip makes data much more secure, rendering it almost useless to create fraudulent cards or transactions,” MasterCard spokesman Seth Eisen said in a statement Wednesday.
MasterCard received the court filing Tuesday and is still reviewing the claims, Eisen said.
“We are aware of the complaint and will respond in due course,” a Visa spokeswoman said in a statement Wednesday.
A central issue in Home Depot’s lawsuit is the retailer’s accusation that Visa and MasterCard are conspiring to prevent adoption of more secure technology in order to maintain market dominance and profits.
“For years, Visa and MasterCard have been more concerned with protecting their own inflated profits and their dominant market positions than with the security of payment cards used by American consumers and the health of the United States economy,” Home Depot states in its 138-page lawsuit.
About 80 nations use cards with chips, and most of them – including England, France and Australia – also require a PIN rather than a signature, Home Depot said.
“Such cards offer an extra layer of security beyond the chip itself, by requiring the user to enter a four-digit PIN, thereby ensuring that the individual using the card is the card’s owner,” Home Depot states in its lawsuit. “Signatures can be copied or forged, and cashiers are not handwriting experts trained to identify forged signatures.”
As a result, U.S. consumers and merchants such as the Home Depot pay fraud-related costs that are “unrivaled in the rest of the industrial world.”
Home Depot was targeted in one of the most highly publicized data breach cases in a wave of data heists that began with Target’s pre-Christmas 2013 attack. But Home Depot’s data breach, which lasted for months in 2014 at its stores in the U.S. and Canada, affected 56 million debit and credit cards, far more than the attack on Target customers. Hackers also stole 53 million email addresses from Home Depot customers.
Target’s breach compromised 40 million credit and debit cards. In the world of retailing, the size of the theft at Home Depot trails only that of TJX Companies’ heist of 90 million records disclosed in 2007.
Target’s sales and profits suffered for months as many shoppers stayed away. But for a variety of reasons, Home Depot’s business wasn’t as affected by the breach that took place between April and September of 2014.
But Home Depot pushed hard to activate chip-enabled checkout terminals at all of its stores by the end of that year.
Even with chip technology, the lack of PIN requirements in the U.S. could lead to even greater fraud in the future, as more transactions shift to online payments, where no physical card is presented, Home Depot said its lawsuit.
Last month, Wal-Mart said in a lawsuit that Visa won’t allow it to let its customers verify chip-enabled debit card transactions with PINs rather than the less-secure signature method.
“PIN is the only truly secure form of cardholder verification in the marketplace today, and it offers superior security to our customers,” a Wal-Mart spokesman told The Associated Press after its lawsuit was filed last month in the New York State Supreme Court.