Data Breach: It's Not Just Target Any More

Tickers in this article: GOOG MA TGT V

NEW YORK ( TheStreet) -- Shares in Target are down over 1% Monday after company officials acknowledged the data breach announced in December was worse than feared.

But Target was apparently not the only victim.

Nieman Marcus , acquired last year by Ares Management and the Canadian Pension Plan Investment Board for $6 billion after it flirted with going public, also seems to have been hit.  At least three other mall-based retailers may be victims.

As many as 110 million people, one American in three, may have had their personal data exposed in the Target attacks.

While past breaches mainly targeted the systems processing transactions, the new breaches are different in that they may involve malware placed in Point Of Sale (PoS) devices.

Visa , which has a big hand in the security of transaction processing networks, warned as early as April that such attacks were possible, posting a number of malware signatures. Another Visa alert, in August , recommended a number of mitigation strategies, including using only point of sale devices that can encrypt data according to industry standards. 

Target CEO Gregg Steinhafel now says he favors moving toward the EMV (Europay, MasterCard, Visa) chip-and-pin credit card transaction systems widely used in Europe. These use an encrypted computer chip to improve security, allowing more identifiers to be accessed than with the magnetic stripe cards used in the U.S.

EMVCo, which manages the chip-and-pin standards, estimated there were 1.62 billion EMV-compliant payment cards in use during the fourth quarter of 2012, and in some parts of Europe 95% of Point of Sale devices took the chips even then. In the Asia-Pacific region, half of all PoS devices took chip cards at the end of 2012.

The U.S. is thus the last major economy to move toward higher credit card security. A switch to EMV means replacing most credit cards and nearly all PoS devices. Visa and MasterCard began urging the switch last summer.

The problem with EMV is that its increased security doesn't apply to "card not present" transactions like those done online. EMV-USA, which advocates for the technology in the U.S., suggests that U.S. online merchants add two-factor verification to those transactions. Some companies, like Google , already use this, collecting users' phone numbers and sending them text messages when they change personal information with codes only the phone holder will know.

The credit card industry's problem is part of a larger problem of proving identity I wrote about in December at our sister site, MainStreet

Problems in health IT, in credit card processing, in Internet identity theft and even in voting can be solved if government and private industry would invest in more secure proofs of identity, and if they made sure everyone had them.