Merchants and financial institutions will find their information-protection practices under intense scrutiny this week in Washington, where no fewer than four Senate and House of Representatives hearings are scheduled in the wake of payment card data breaches at Target Corp., Neiman Marcus Group and other merchants.
The sessions kick off Monday afternoon when the Senate Banking Committee’s National Security subcommittee holds a hearing titled “Safeguarding Consumers’ Financial Data.” Senior executives from Target and Neiman Marcus are scheduled to testify at hearings on Tuesday and Wednesday (see links below).
Other witnesses will include top executives of the PCI Security Standards Council, the body that administers the main Payment Card Industry data-security standard and its related standards governing payment software and PIN-accepting devices. Bob Russo, general manager of the Wakefield, Mass.-based PCI Council, says he “absolutely” anticipates being grilled when he goes before a House subcommittee on Wednesday, and he predicts the same for the Council’s chief technology officer, Troy Leach, who is scheduled to testify Monday. Russo says he and Leach expect to field questions about just how effective the PCI standards are when data breaches keep happening.
“Certainly we’re both going to be addressing that,” Russo tells Digital Transactions News. “Our opinion is that recent breaches are shining a spotlight on why a multi-layered approach is really necessary.”
While much of the debate since Target in December confirmed a breach of 40 million payment card numbers and later non-card information on 70 million customers has focused on whether the U.S. should hurry up and adopt Europay-MasterCard-Visa chip cards to replace vulnerable magnetic-stripe cards, Russo says EMV by itself is only part of the answer. “PCI is in the best position” to stop would-be data thieves, according to Russo.
Although many details have yet to be revealed, Target has said that malware placed on its point-of-sale payment-processing system led to the compromise. The malware appears to have been developed by hackers in Russia, according to various reports. In his prepared remarks for Monday’s hearing, Leach says, “protection from malware-based attacks requires more than just EMV chip technology. Reports in the press regarding recent breaches point to insertion of complex malware. EMV chip technology could not have prevented the unauthorized access, introduction of malware, and subsequent exfiltration of cardholder data. Failure of other security protocols required under Council standards is necessary for malware to be inserted.”
Leach’s testimony also says the PCI Council “welcomes this hearing and the government’s attention on this critical issue,” but urges government to back off from directly setting security standards for the card industry.
“High-profile events such as the recent breaches are a legitimate area of inquiry for the Congress, but should not serve as a justification to impose new government regulations,” Leach’s remarks say. “It is unlikely any government agency could duplicate the expansive reach, expertise, and decisiveness of PCI. Any government standard in this area would likely be significantly less effective in addressing current threats, and less nimble in protecting consumers from future threats, than the constantly evolving PCI standards.”
Russo says government should step up law enforcement against data thieves and increase its research into data security—and do a better job of quickly informing affected parties after each breach of exactly how hackers did their dirty work. “In order to find out the causes and look at the forensics, you have to wait until a lawsuit is filed,” he says. “We have to wait until it’s litigated, until everyone has paid their debt to society, to find out what’s happened.”
Other witnesses from the National Retail Federation and financial-institution trade groups are likely to give lawmakers differing takes on who should be responsible, and pay, for better card security.
Reports of yet another data breach surfaced over the weekend, this one involving Merrillville, Ind.-based White Lodging, which manages 168 hotels under various brands in 21 states. An unknown number of cards used by guests at Marriott hotels managed by White Lodging have been linked to fraud, according to press reports.
What follows is a list of the upcoming hearings and links to their sponsors. All times are Eastern.
>>>Feb. 3, 3:00 p.m.: Senate Committee on Banking, Housing and Urban Affairs, Subcommittee on National Security and International Trade and Finance, “Safeguarding Consumers’ Financial Data.”
>>>Feb. 4, 10:15 a.m.: Senate Judiciary Committee, “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime.” Witness list includes John J. Mulligan, chief financial officer at Target, and Michael R. Kingston, chief information officer of Neiman Marcus. Hearing is scheduled to be Webcast.
>>>Feb. 5, 9:30 a.m. House Energy and Commerce Committee, Subcommittee on Commerce, Manufacturing and Trade, “Protecting Consumer Information: Can Data Breaches Be Prevented?” Witnesses include Mulligan and Kingston.
>>>Feb. 6, 10:00 a.m. Senate Banking Committee, “Oversight of Financial Stability and Data Security.”