business

The pre-Christmas data theft of millions of credit and debit cards used at Target may have shocked consumers, but the retail giant knew the threat was real and had pursued an innovative solution years ago.

In the early 2000s, the Minneapolis-based company installed “smart card” technology at all its U.S. stores, designed in part to thwart the kind of security breach that Target is now scrambling to contain. The company said it ultimately abandoned the three-year pilot because no other retailer adopted the technology, which put Target at a disadvantage because the emerging technology slowed down checkout times.

“We went out on our own and did something innovative and ultimately the industry didn’t keep pace with Target,” Chief Financial Officer John Mulligan said in a recent interview. “So there wasn’t a lot of benefit outside Target for our guests. And the in-store experience was adversely impacted because it was a slower checkout process.”

For smart cards to work, everyone needs to use the technology, Mulligan said. “The data breach hasn’t change our viewpoint on this at all. We have been advocates for moving to such a system for quite some time.”

The 19-day breach is among the country’s largest recorded data security breaches. It exposed the credit and debit card information of 40 million people who paid with plastic at U.S. Target stores between Nov. 27 and Dec. 15. The stolen information included all types of credit and debit cards, including Target’s own Redcard.

The breach underscores the difficulty retailers face in safeguarding consumer information at a time when companies like Target depend on such cards to drive sales and customer loyalty.

Target’s Redcard program, which offers 5 percent off each purchase and free Internet shipping, is a crucial component to the retailer’s strategy of getting consumers to frequently shop at Target stores and buy more stuff.

It also collects enormous amounts of consumer data, information Target can use to target consumers with specific offers based on past purchases.

“They have to protect [the Redcard],” said Joshua Carlson, a Minneapolis-based data privacy attorney who formerly worked at Best Buy. “It’s their secret sauce.”

Target first conceived of a proprietary “smart” credit card in the early 2000s. Such cards, which generated big profits, had long been a staple at department stores, and Target felt it was upscale enough to warrant a card of its own.

The original Redcard offered members 10 percent off on certain days throughout the year. Target also wanted to experiment with chip-based smart cards that could offer digital coupons based on a user’s purchase history stored on the chips. The smart card technology, which is used widely in Europe, also was considered safer than magnetic-striped cards.

Other retailers didn’t follow

Chip cards employed a feature called “dynamic data,” in which the system automatically alters the account information in a unique way each time a customer swipes the card.

That would make the card unusable to anyone but the customer. Target could also issue new accounts, establish authorized users, and change PIN numbers without reissuing the cards.

Target installed readers at all its stores, but ultimately pulled the plug because competitors stuck to the old system. And the technology made for slower checkout lines.

“They were ten years ahead of their time,” said Carlson, the privacy attorney. “Back then, you had to sign for each transaction. Think of the number of transactions per terminal per day at over a thousand stores.”

For the technology to succeed, “there has to be a massive, coordinated effort to move to chip-base cards,” Carlson said. “It’s valid Target tried, and it’s valid that they didn’t go ahead with it.”

Target went back to magnetic stripes and the Redcard eventually became a huge success, especially after it offered 5 percent off each purchase and the retailer extended debit cards to non-credit-card shoppers.