Merchants and Card Security Executives Questioned in Hearings on Recent Payment-Card Security Lapses


Four Senate and House of representatives hearings were scheduled in Washington as a result of the December 2013 payment security breaches experienced by Target, the Neiman Marcus Group, and a number of other merchants. In these hearings titled “Safeguarding Consumers’ Financial Data,” the information-protection practices used by merchants and financial institutions were reviewed and evaluated by the Senate Banking Committee’s National Security subcommittee. In these hearings, the National Retail Federation and financial-institution trade groups, senior executives from both Target and Neiman Marcus, and the top executives from the PCI Security Standards Council, which is the entity that governs the main Payment Card Industry data-security standard and its related standards governing payment software, as well as PIN-accepting devices were called on to testify.

Executives Troy Leach and Bob Russo from the PCI council were expected to be questioned extensively regarding the effectiveness of PCI standards, considering that data breaches have continued to occur under the current PCI standards. In a statement by Russo to Digital Transactions, he says that he and other PCI executives believe that a multi-layered security approach is necessary to prevent these types of breaches in the future. He also believes that adopting new EMV chip technology to prevent these types of security breaches is only part of the answer. He stated that “PCI is in the best position” to stop would-be data thieves, although they have not had a great deal of success up to this point considering the fact that there was a breach of 40 million payment card numbers as well as non-card information on 70 million customers discovered in the December breach faced by Target.

Target cited placement of malware developed by hackers in Russia on its point-of-sale payment-processing system as the reason for the security breaches. PCI executive Troy Leach stated that EMV technology could not have prevented the complex malware-based attacks. The technology would not have prevented the unauthorized access, introduction of malware, and subsequent exfiltration of cardholder data. He said that “Failure of other security protocols required under Council standards is necessary for malware to be inserted.” Leach also stated that the PCI council “welcomes this hearing and the government’s attention on this critical issue,” but urges government to back off from directly setting security standards for the card industry. High-profile events such as the recent breaches are a legitimate area of inquiry for the Congress, but should not serve as a justification to impose new government regulations.” Leach went on to say “It is unlikely any government agency could duplicate the expansive reach, expertise, and decisiveness of PCI. Any government standard in this area would likely be significantly less effective in addressing current threats, and less nimble in protecting consumers from future threats, than the constantly evolving PCI standards.”

In PCI executive council member Russo’s opinion, the government should increase its research into areas of data-security, while increasing penalties against data thieves. He also believes that the response by government in informing parties affected by security breaches should be much faster to allow parties to determine how hackers were able to accomplish these breaches. Russo states that as it stands now, “In order to find out the causes and look at the forensics, you have to wait until a lawsuit is filed. We have to wait until it’s litigated, until everyone has paid their debt to society, to find out what’s happened.”