Week 3 - Home Depot and BlackPOS

As has been a widely reported in the news, Home Depot stores in the United States and Canada have been subject to a data breach that has compromised credit and debit cards.  In a story published in Security Week there is information provided, second hand, that this breach was due to point of sale (POS) devices infected with a new variant of the BlackPOS malware.  This is the same malware that was blamed for data breaches at Target, Neiman Marcus, and other retailers late in 2013.  Target's breach is now thought to have exceeded 110 million customers according to a c|net story.  I know we received replacement credit cards with EMV chips due to this breach, so what are the associated costs that this breach has cost in just card reissuance?  And having seen what happened at Target et.al. why have retailers like Home Depot not stepped up replacement of POS devices and installed new devices with EMV capabilities?  Many retailers have performed this replacement, even Target has EMV capable devices in the Dallas, TX and Boulder, CO stores that I have been in recently, yet this functionality is not active.  In fact, WalMart stores are the only retailer I am currently aware of that is forcing the use of EMV cards if you have one.  But even there no PIN is required.  You put the card in the slot, confirm the purchase amount, and wait for it to beep telling you to remove your card.  The only reason that I can think that EMV rollout has not been more aggressive is that cost/benefit analysis has shown that the risk of a data breach and the associated costs is less than the cost of POS replacement.  Even the most basic POS devices cost over $500 each.  I can't imagine the number of POS devices that Home Depot has, but I suspect the cost of this data breach will exceed the replacement costs.  This has been a long-term problem in this specific area.  The movement to install EMV capable POS devices at the moment by retailers is being driven more by the October 2015 deadline by credit card issuers than the cost associated with potential breaches.  After this date retailers will be responsible for any fraudulent credit card transactions.  While EMV has been successfully deployed in Europe for some time, resistance in the United States has been strong against any changes to POS devices for many years. The implementation of debit cards for use in pay at the pump transactions in the early 2000's was a previous such event.  This required changing out all of these POS devices as debit transactions must be encrypted from the POS device by banking regulations.  Around the same time a small company came up with a different use of existing technology to address the POS fraud issue.  This company figured out that the magnetic stripe on any transaction instrument has noise on it that is as unique as a fingerprint.  Using a specially designed POS device this noise could be read and transmitted along with the card information to validate a transaction.  The best part is the noise cannot be replicated so the card could not be duplicated.  A great idea, but again the cost/risk/benefit calculations did not favor this technology so this never made it into use.