Five days after Chipotle, Inc. announced a massive malware attack resulted in widespread theft of customer payment data, Kmart parent company Sears ($SHLD) revealed that several Kmart locations had been similarly infested with malware. While the beleagured company disclosed that "certain credit card numbers" were compromised, it appears the majority of customers were unaffected - which the company says is thanks to their decision upgrade all Kmart locations to EMV "smart chip" credit and debit card Point-of-sale (POS) machines.
All Kmart stores were EMV “Chip and Pin” technology enabled during the time that the breached had occurred and we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. -Kmart
This is in stark contrast to a 2014 malware attack on Kmart's older magnetic swipe Point of Sale system which resulted in the theft of customer data - allowing thieves to create counterfeit cards, according to Sears spokesman Chris Brathwaite.
 Brathwaite stressed that the data stolen included only “track 2” data from customer credit and debit cards, and did not include customer names, email address, physical address, Social Security numbers, PINs or any other sensitive information.
However, he acknowledged that the information stolen would allow thieves to create counterfeit copies of the stolen cards. -krebsonsecurity.com
Kmart has issued a FAQ regarding the hack.
While Kmart looks to have dodged a bullet, Chipotle is still using magnetic POS machines
Chipotle ($CMG) declined to upgrade to the newer EMV chip reading equipment in 2015 – citing inefficiencies and concerns over delays in the authentication process in a fast paced food service environment.
The breach could mean big trouble for shares of Chipotle, which have only partially recovered from an E.coli outbreak in late 2015. According to Reuters, security analysts say the company will likely face a fine based on the size of the breach and number of records compromised.
“If your data was stolen through a data breach that means you were somewhere out of compliance” with payment industry data security standards, Julie Conroy, research director at Aite Group, a research and advisory firm.
“In this case, the card companies will fine Chipotle and also hold them liable for any fraud that results directly from their breach,” said Avivah Litan, a vice president at Gartner Inc (IT.N) specializing in security and privacy. -Reuters
In 2015 the credit card industry shifted liability to those who haven't upgraded to EMV systems
If stores accept EMV payments, the credit card companies still accept liability for counterfeit fraud. That’s true even if the store accepts EMV payments, but also accepts magnetic stripe payments, and one of those magnetic stripe payments turns out to be fraudulent. The technical wording from Visa is, “The party that has made investment in EMV deployment is protected from financial liability for card-present counterfeit fraud losses on this date. If neither or both parties are EMV compliant, the fraud liability remains the same as it is today.”
While EMV payment systems don't prevent over-the-phone credit card fraud, MasterCard said overall fraud had dropped 54% year-over-year in January of 2016. That's significant.
As the banking industry shifts towards convenient and safe digital payment systems and a cashless society, enjoy the smell of paper fiat currency while it's still around. Then go hang out with your gold and silver collection.