VeriFone Systems Inc. (PAY:US), EMC Corp. (EMC:US)’s RSA and Ingenico are poised for a gain in sales as U.S. retailers turn to makers of payment terminals and security software for help shoring up their anti-hacking defenses.
Ever since Target Corp. (TGT:US) disclosed in December that hackers stole financial data from 40 million customer accounts, companies as disparate as casinos, grocers and luxury-goods stores have requested help to make customer data more secure, say payment technology executives. Interest surged anew when Neiman Marcus Group Ltd. said it too had been hit and Michaels Stores Inc. also reported its customer data may have been compromised. Concerns over consumer data took center stage again this week as Target and Neiman Marcus executives began testifying before Congress.
VeriFone’s revenue from point-of-sale hardware bought by big retailers in North America will surge 15 percent this year starting in April, estimates Wayne Johnson, an analyst at Raymond James & Associates. By the end of 2014, as many as 50 percent of U.S. retailers will have installed terminals capable of handling more secure chip-based cards, Gil Luria, a Wedbush Securities Inc. analyst, said in a note.
“This will get retailers to spend more on security, which is good for VeriFone and Ingenico,” Luria said in an interview “These hacks will encourage retailers to buy more new chip-enabled terminals.”
For retailers, options include beefing up efforts to stave off phishing attacks, accelerating a move to credit cards with chips embedded, rather than magnetic strips, and encrypting data as it moves from checkout terminals to remote servers.
Such purchases would indicate an increase in spending by U.S. chains, which have, for years, invested far less than other industries on data security -- making them more vulnerable to attacks than retailers in Europe. The U.S. accounts for almost half of $12.42 billion in annual global fraud losses on payment cards, according to the Nilson Report, an industry newsletter in Carpinteria, California.
Constrained by thin margins, U.S. retailers traditionally have focused technology investments on building customer-friendly websites, among other priorities, said Greg Buzek, president of IHL Group, a retail-technology consulting firm based in Franklin, Tennessee.
They also were aware that the impact of data breaches typically faded fast, including one at TJX Cos. that affected more than 100 million people last decade.
U.S. chains can shrug off data breaches no longer. Last month, the Federal Bureau of Investigation warned some retailers that attacks are on the rise, said Jenny Shearer, a spokeswoman.
There is evidence that the attacks are spooking some consumers. While many retailers struggled to lure shoppers this holiday season, Target said sales at its U.S. unit were “meaningfully weaker” after disclosing the data theft.
John Mulligan, chief financial officer of the chain, apologized to U.S. lawmakers at the hearing yesterday for the data breach and said security will be improved as Target speeds up implementation of chip-enabled card technology.
“I want to reiterate how sorry we are that this has happened,” Mulligan said.
The chain also could face as much as $1.1 billion in payments to banks related to the data breach, Jason Kupferberg, a Jefferies analyst, said in a Jan. 29 report.
“All the large retailers are looking to ensure this doesn’t happen to them,” said Thierry Denis, president of Ingenico North America, a French maker of payment terminals. “Before they would have said, ‘No, we don’t want to spend money on security.’ Now they know they’d better spend more.”
In the past couple of years, retailers have begun preparing for a switch from cards with magnetic stripes to ones based on chips already widely used in Europe. Holders of such cards typically enter passwords when making a purchase, adding an extra layer of security.
Chains may now accelerate installations of EMV -- Europay, MasterCard and Visa -- terminals, which work with chip-based cards, Luria said.
He expects the surge in the technology’s adoption to increase VeriFone’s sales by $50 million in fiscal 2015, and another $50 million in fiscal 2016. That would add about 15 cents to VeriFone’s earnings (PAY:US) for each of those years, Luria said in a Jan. 28 note.
Since Target disclosed the breach, shares of VeriFone have gained 21 percent through yesterday’s close. Ingenico (ING) has gained 9.7 percent while EMC is little changed. The Standard & Poor’s 500 Index has declined 3.1 percent in the period. Verifone fell 2 percent to $27.44 at 10:50 a.m., while Ingenico rose 0.5 percent to 63.73 euros and EMC gained 0.3 percent to $23.73.
Industry analysts say chip-based cards wouldn’t have stopped the hackers from gaining access to Target customer data. In that case, the criminals likely sneaked in after the cards were swiped and during the brief period unencrypted data moved to the chain’s servers, Kupferberg said in the report.
Now retailers are shopping for software that encrypts data for the entire payment process, according to Ingenico’s Denis.
“Encryption may not have been at the forefront of discussions, as EMV was,” he said. “Now they’re asking about both.”
So-called point-to-point encryption can cost “millions of dollars,” said Robert Sadowski, director of technology solutions for RSA, which is based in Bedford, Massachusetts.
Those purchases may be approved now that retailers’ executives and board members are getting involved in overseeing the efforts to protect their companies from breaches.
“There’s more interest by the boardroom, more interest by the CEO, by the CTO,” said Tiffany Jones, senior vice president of client solutions for iSight Partners, a Dallas-based data security firm.
Defenses against phishing attacks designed to trick retail employees into clicking on bogus sites and compromising the whole database are another top priority for retailers, according to Steve Ward, the marketing chief at Invincea, a data-security company based in Fairfax, Virginia.
After the government issued a warning on Jan. 2 identifying phishing as a big security risk, Invincea saw a spike in calls from what Ward calls a who’s-who of retailers.
“We’ve had seven or eight calls where they literally say, ‘Can you come in tomorrow?’” Ward said. “We’ve seen an insane flood of interest.”
To contact the reporters on this story: Olga Kharif in Portland at email@example.com; Lauren Coleman-Lochner in New York at firstname.lastname@example.org
To contact the editor responsible for this story: Tom Giles at email@example.com