Recent data breaches at retail stores,including Target and Neiman Marcus,have driven consumers and legislators to demand a change in data security systems. A series of hearings and discussions Monday and Tuesday addressed the challenges of privacy protection in the digital age.
Target CEO Gregg Steinhaffel revealed in December that the retail chain had experienced “unauthorized access” to payment card data at U.S. stores between Nov. 27 and Dec. 15. John Mulligan,Target’s chief financial officer,said at the hearing that up to 70 million individuals were affected.
Michael Kingston,chief information officer for Neiman Marcus,testified that account information from transactions in 77 stores between July and October 2013 were exposed.
The company’s anti-virus software did not detect the attack. There were no red flags until Dec. 17 when MasterCard alerted the store. Neiman Marcus notified customers of the data breach Jan. 10.
Since the beginning of this year the craft and hobby chain Michaels,the hotel management company White Lodging and Yahoo announced they are investigating large-scale security breaches that may have compromised customer and user information.
“Our card payment system is outdated and ripe with opportunities for fraud. … The fraudsters rely on our system being so poor,” Mallory Duncan,general counsel of the National Retail Federation said at a hearing Monday before the Banking,Housing and Urban Affairs subcommittee on National Security and International Trade and Finance.
Retailers,banks and security experts testified in support of a transition from the standard “signature-and-stripe” credit card to chip-and-PIN,or EMV cards,which are said to keep consumer information more secure. EMV cards are embedded with microchips that hold consumer data,rather than magnetic strips. Users must enter a four-digit PIN number to complete a purchase.
Delara Derakhshani,policy counsel for Consumers Union,said Visa and MasterCard will not be ready to make this switch until October 2015. Duncan said it would cost retailers across the country $3 billion to make a complete transition.
Chip-and-PIN cards are broadly accepted in more than 130 countries,leaving the U.S. lagging behind in credit card technology. Sen. Richard Blumenthal,D-Conn.,said the U.S. uses 25 percent of the world’s credit cards but accounts for more than half of all fraud.
Sen. Mark Warner,D-Va.,said that based on the U.K.’s experience with EMV cards,the updated method will not solve all problems.
Warner,who chaired the hearing,said in-store fraud dropped dramatically but online fraud in the U.K. rose about 30 percent.
The committee suggested creating a national security standard to ensure that all retailers use the most advanced cyber protection and will notify consumers as soon as possible. Witnesses discussed the risks such legislation could cause.
“As soon as we establish a standard … the whole world knows about it and that gives them the ability to try to … come up with ways to beat those standards,” Kingston said.
Sen. Patrick Leahy,D-Vt.,introduced the Personal Data Privacy and Security Act of 2014 in January. It would create tougher criminal penalties against hackers and stronger cyber protection at retail stores.
The House Energy and Commerce Committee is scheduled to hold a hearing on the subject Wednesday.
Reach reporter Cathryn Walker at [email protected] or (202) 326-9867. SHFWire stories are free to any news organization that gives the reporter a byline and credits the SHFWire.