Target Corp. said on Tuesday that it passed its latest Payment Card Industry data-security standard (PCI) inspection a mere three months before confirming in December that a data breach compromised 40 million customers’ payment card numbers. Target also said it is fast-tracking its efforts to roll out chip card acceptance in its U.S. stores, about a decade after it abandoned a first-generation chip card project.
Target’s latest news comes on the day when the Senate Judiciary Committee held the second of four Congressional hearings this week on the topic of data breaches and cyber-security. Executives from Target and Neiman Marcus Group, which in January confirmed a data breach that compromised an estimated 1.1 million credit cards, testified along with a consumer advocate, data-security executive and government officials.
Minneapolis-based Target joins a growing list of breached retailers and payment processors that have said they passed their latest annual PCI inspection only to report a breach less than a year later. “As recently as September 2013, our systems were certified as compliant with the Payment Card Industry data-security standards,” Target executive vice president and chief financial officer John Mulligan said in his written testimony for the Senate Judiciary Committee’s hearing dubbed “Privacy in the Digital Age: Preventing Data Breaches and Combatting Cybercrime.”
Mulligan gave no details about the PCI audit, and like Michael R. Kingston, chief information officer at Neiman Marcus, said Target had a sophisticated anti-fraud system that hackers nonetheless were able to penetrate with hard-to-detect malware. The payment card networks say annual PCI inspections are snapshots that don’t mean a merchant or processor is ever definitively secure, and in the wake of any breach they typically declare the breached company out of PCI compliance. That action triggers a process of remediation, fines and re-certification.
Senators spent little time Tuesday reviewing the nuances of PCI but asked numerous questions about chip cards as replacements for vulnerable magnetic-stripe cards that are now mostly gone from the industrialized world except in the United States. They also picked up on a debate in the payments industry about the role of PINs with the coming of Europay-Visa-MasterCard (EMV) chip cards under a series of network deadlines and incentives, including a shift of liability for point-of sale fraud to the non-EMV-capable party in October 2015. In a contributed piece for The Hill, a Washington publication that tracks Congress, and in his comments today, Mulligan revealed some details about Target’s initiative to accept EMV cards in its U.S. stores as well as issue such cards.
“Since the breach, we are accelerating our own $100 million investment to put chip-enabled technology in place,” Mulligan said in The Hill. “Our goal: implement this technology in our stores and on our proprietary REDcards by early 2015, more than six months ahead of our previous plan.”
Target, which has nearly 1,800 U.S. stores, already has what it calls “guest-payment devices” in 300 stores and it hopes to have the stores’ chip-acceptance upgrades done by the fourth quarter, Mulligan said at the hearing. In response to a question from Sen. Mazie K. Hirono, D-Hawaii, about whether the chip card system would require PINs, Mulligan said it would—a sentiment widely shared in the merchant community and by many of the senators, but less so among card issuers. “We’ve been proponents of chip-and-PIN for a very long time,” said Mulligan, noting that Target tried but abandoned its initial chip card effort because of the cost at the time and the lack of support for chip cards outside of Target.
Pro-PIN sentiment isn’t universal among merchants, either. Dallas-based Neiman Marcus, an upscale retailer where credit dominates card payments, does not have PIN-accepting devices at the point of sale, said Kingston. He didn’t want to be pinned down when asked whether chip card transactions should be further authenticated with a PIN, saying “there’s a lot of work to do” in getting a chip-card system up and running.
Target’s breach, which involved malware that accessed its point-of-sale system, compromised not only 40 million credit and debit cards, but also non-card information on about 70 million customers. Target initially said the theft of card data occurred between Nov. 27 and Dec. 15 of last year. In his prepared remarks, however, Mulligan said that on Dec. 18 Target disabled malware on 25 more registers that had been “disconnected from our system when we completed the initial malware removal on Dec. 15. As a result, we determined that fewer than 150 additional guest accounts were affected.”
In addition to Target and Neiman Marcus, crafts retailer Michaels Stores and hotel operator White Lodging have reported data breaches in the past month, a big reason why lawmakers called the hearings. Whether they result in a federal data-breach notification law when past efforts have failed is unknown. But pressure for passage is building, according to Democrats on the Judiciary Committee. “We have to do something,” said Sen. Amy Klobuchar, D-Minn.