Target, Neiman Marcus Differ on EMVExecutives Share Views on Security at Senate Hearing
At a Feb. 4 Senate hearing, a senior executive from Target Corp. endorsed a shift to chip cards, combined with PINs, to enhance security, while a Neiman Marcus executive questioned if that was a prudent move.
The Senate Judiciary Committee hearing was convened to discuss security issues in the wake of high-profile breaches at the two retailers.
John Mulligan, executive vice president and CFO at Target, apologized on behalf of the company twice for the breach that exposed as many as 40 million payment card numbers and personal information on about 70 million customers.
He confirmed his company's efforts to improve security by accelerating the shift from magnetic stripe to chip cards for its own REDcards by early 2015, as well as the adoption of chip-enabled card readers in its stores. "We will be an active part of this solution," Mulligan said. He first commented on Target's shift to chip cards in a Feb. 3 opinion piece in the Hill newspaper.
Different Point of View
But Michael Kingston of Neiman Marcus was more reluctant to fully support a prompt move to chip and PIN.
"The issue that we're talking about here is that there are lots of different technologies available," Kingston, the company's senior vice president and CIO, told the Senate panel. "Consumers don't have a lot of these cards. None of my cards have chips on them. While it's an option, it's something that hasn't been adopted."
He continued: "All of the actors need to be able to adopt these technologies at the same time. Consumers need to; financial institutions need to; and the private sector as well needs to."
Kingston confirmed, however, that Neiman Marcus is willing to update technology to protect consumer information. "Neiman Marcus will do anything that will make the process [around] consumer information safer," he says, "including chip and PIN."
Kingston also noted: "We don't use PIN pads today. While industry will be safer, there's lots of work to make that happen. PIN pads have to process this; software changes have to happen."
Chip card technology, widely used in other nations, adheres to what is known as the Europay, MasterCard, Visa standard. The standard, which was developed in the 1990s, was implemented to reduce fraud on transactions made in-person at the point of sale. EMV, as it's better known, is widely regarded as being more secure than mag-stripe card technology. EMV cards contain embedded microprocessor chips that store, transmit and process encrypted information, so transactions made using the cards cannot be skimmed at the point of sale.
"Chip and PIN is definitely a step in the right direction," Fran Rosch, senior vice president for security vendor Symantec, testified. Rosch identified the three benefits of utilizing chip and PIN technology: the use of encryption to protect information; the difficulty in duplicating chip cards; and improved authentication by using a PIN.
Sen. Chuck Grassley, R-Iowa, acknowledged growing public concern about the increasing rate of data breaches.
"Companies with tremendous resources and multi-layered security systems can be attacked and breached," he says. "This means smaller businesses are more vulnerable to similar attacks. Businesses of all sizes need flexibility in creating and implementing their security programs."
New Breach Details
Kingston offered new details about the Neiman Marcus breach, revealing that 77 out of the company's 85 stores were affected by highly sophisticated malware that compromised payment card information for up to 1.1 million customers.
Mulligan, in his written testimony, said that Target confirmed the malware infection of its system on Dec. 15 and removed it from virtually all registers at its U.S. stores. But he noted that Target disabled malware on an additional 25 registers on Dec. 18. The additional compromised registers led to an additional 150 accounts that were affected.
The Senate panel grilled Mulligan and Kingston over the timing of the breaches and when notifications first went out to consumers.
Sen. Dianne Feinstein, D-Calif., pressed Kingston over Neiman Marcus' notification process. "I am a shopper at your institution and I don't recall getting any notice," Feinstein said.
Kingston replied that a number of different notifications have been sent out, beginning on Jan. 22.
Target's Mulligan confirmed the company notified all customers through a public disclosure four days after discovering the malware.
During the hearing, Federal Trade Commission chairwoman Edith Ramirez urged Congress to take action on passing a strong federal law that proposes standards for data security and breach notification.
Ramirez referenced the FTC's use of enforcement action against deceptive or unfair practices. "We could be even more effective in this area if there was a federal data security law that the FTC could enforce," she said.
A call for increasing FTC enforcement also was made during a Feb. 3 hearing of the Senate Banking Committee's Subcommittee on National Security and International Trade and Finance (see: Finger-Pointing at Breach Hearing).
Several bills calling for national data security and breach notification standards are pending before Congress (see Yet Another Data Breach Bill Introduced).
"Federal government has a role to play," said Sen. Al Franken, D-Minn. "There's no federal law setting out clear security standards that merchants need to meet. There's no law requiring companies to tell customers when their data has been stolen."
But Sen. Richard Blumenthal, D-Conn., along with Symantec's Rosch, noted federal standards need to be flexible.
"Today, information is everywhere - data centers, the cloud and mobile devices," Rosch said. "The attack surface is exploding. We need to be flexible to adjust."
Neiman Marcus' Kingston expressed concerns surrounding security standards. "The thing we have to keep in mind is the threat landscape continues to evolve every day," he says. "As soon as we establish the standards, the whole world knows about it and that gives them the ability to try to come up with ways to defeat those standards."