The Home Depot has confirmed that its payment data systems have been breached, which could potentially impact customers using payment cards at its US and Canadian stores. In response, it has also confirmed that it will roll out EMV chip-and-PIN point-of-sale (POS) terminals to all US stores by the end of this year, well in advance of the October 2015 deadline established by the payments industry.
Chip and PIN payment cards, also known as smart cards, have an embedded microprocessor chip that contains the information needed to use the card for payment, and is protected by various security features, so they’re a more secure alternative to traditional magnetic stripe payment cards. Most of the world has moved to chip-and-PIN cards already, but the US has been a stubborn holdout.
News broke 2 September that a large cache of credit- and debit-card information linked to the stores, dubbed ‘American Sanctions,’ had appeared in an underground forum previously used to hawk card data from compromises at Target, P.F. Chang’s and Sally Beauty.
Details are scant—the company said only that it is continuing to investigate, focusing on events that happened from April forward. It said that it has taken “aggressive steps” to address the malware and protect customer data. The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on.
While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised—a ray of good news. Also, so far there is no evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com.
"We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue," said Frank Blake, chairman and CEO, in an online statement. "We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It’s important to emphasize that no customers will be responsible for fraudulent charges to their accounts."
The scope of the breach could prove to be even larger than the Target breach, which affected 40 million: The Home Depot is the world’s largest home improvement specialty retailer, with 2,266 retail stores in all 50 states, the District of Columbia, Puerto Rico, U.S. Virgin Islands, Guam, 10 Canadian provinces and Mexico.
Target, incidentally, also announced earlier in the year a goal for its accelerated, $100-million plan to move its REDcard portfolio to chip-and-PIN-enabled technology (and to install supporting software and next-generation payment devices in stores). Beginning in early 2015, it will begin accepting payments from all chip-enabled cards in its stores.