Target Hearings: EMV Not EnoughTestimony Highlights Need for More Technology, Security Layers
At Congressional hearings held March 5 and 6, cybersecurity experts stressed that adoption of chip cards is just one of many steps that need to be taken to secure the U.S. payments infrastructure. They also called for more education of retailers about card data security and stronger enforcement of Payment Card Industry data security standards.
The two hearings were called in the wake of the Target Corp. and Neiman Marcus breach investigations. The House Committee on Financial Services held its session March 5, while the House Committee on Science, Space and Technology hearing was held March 6.
EMV Alone Not Enough
Troy Leach, the lead security standards architect for the PCI Council, testified March 5 that the vulnerabilities of magnetic-stripe card transactions have to be addressed. But he stressed that a migration to more secure chip card technology that conforms to the Europay, MasterCard, Visa standard would not, by itself, eliminate all security risks. In fact, he contended that the use of chip cards would not have prevented the exposure of card data caused by the malware attacks against Target and Neiman Marcus.
"The EMV chip is an extremely effective method of reducing counterfeit and lost/stolen card fraud in a face-to-face payments environment," Leach noted in his written testimony. "Protection from malware-based attacks requires more than just EMV chip technology. Reports in the press regarding recent breaches point to the insertion of complex malware. EMV chip technology could not have prevented the unauthorized access, introduction of malware and subsequent exfiltration of cardholder data. Failure of other security protocols required under [PCI] Council standards is necessary for malware to be inserted."
Layered Security Approaches
In his testimony March 6, Randy Vanderhoof, executive director of the Smart Card Alliance, explained that multiple layers of security, such as chip cards and tokenization, have to be implemented to ensure adequate protection of cardholder data. "We also need to maintain and invoke stronger enforcement when breaches occur to track down those who are responsible," he added.
Bob Russo, general manager of the PCI Council, testified at the same hearing that weak passwords for POS network and device access remain one of the retail industry's greatest security risks. "This is why the council is so focused on education," he said.
And Charles Romine of the National Institute of Standards and Technology pointed out that stronger security has to be embraced by the private sector to help prevent breaches. "Having additional regulation is probably not the answer," he said. "Regulating behavior is not going to be as effective as focusing on usability [of security technology]."
But consumer advocate Justin Brookman of the Center for Democracy & Technology testified that giving the Federal Trade Commission more regulatory oversight and enforcement power for data security compliance could have an impact. "It would be good to strengthen the Federal Trade Commission's ability to go after those that are breached," he said, calling for the FTC to issue fines to those proven responsible for lax security that lead to breaches. The threat of financial penalties could encourage retailers and others to implement stronger security, he argued.
Without federal mandates for compliance with minimal security standards, businesses have a difficult time determining how much of an investment they should make in advanced cybersecurity technologies, Steven Chabinsky of CrowdStrike, a cyberintelligence company, testified. "We need more research about return on investment," he said. "It's challenging for businesses to know the benefit versus the cost."
'A National Security Concern'
Rep. Dan Maffei, D-N.Y., said the security of payments is of prime importance. "This is a national security concern," that all industry sectors have a vested interest in, he said.
Because many cyber-attacks are waged by groups based outside the U.S. for a multitude of reasons, the government's review of these attacks has to go far beyond the retail sector, Maffei said.
Last month, members of Congress questioned executives from Target and Neiman Marcus about their breaches. Both retailers were attacked by malware that ultimately exposed credit and debit data collected in the clear at the point of sale before it was encrypted as the transactions were processed (see Breach Hearings: How Did Security Fail?).