Even so, EMV is widely considered better than the magnetic stripe technology used to encode data in most credit and debit cards issued in the U.S., which is one of the few countries not to adopt EMV.
The NRF insists that retailers are ready and willing to make the investments necessary to switch to the EMV standard. But banks have so far at least not been willing to make the switch.
The scope of the Target breach drew the attention of lawmakers. Members of the House Financial Services Committee have called for a hearing on the breach to look into what might have happened and to figure out if new data protection mandates are needed for retailers.
While the ABA, CUNA and other banking groups would welcome such federal intervention, it could spell trouble for retailers.
In the aftermath of the TJX breach back in 2007, some lawmakers wanted to require that retailers implement data security standards similar to those imposed on financial services companies.
Retailers argued then that such measures aren't needed because the data they handle is far less sensitive than that maintained by banks and other financial institutions. Even so, there's a real risk that the breach will prompt Congress to significantly expand the scope of mandated data protection requirements.
It's now time for an industry-wide discussion on data security, says Cathy Hotka, a long-time retail consultant who helped set up the CIO Council at the NRF years ago.
Ten years ago, a Target-like breach would have been seen as an unfortunate one-off incident, Hotka says.
These days, she said, "We know there are these spectacularly sophisticated tools that bad guys can use to gain access to any network. They are vastly better equipped than they used to be [so] the time for action is now."