Target Corp. will move toward EMV smartcards and chip-and-PIN technology at least six months sooner than the card networks' October 2015 timeline for the security measure, says John Mulligan, Target's chief financial officer.
The day before his appearance at a Senate Judiciary Committee hearing Feb. 4 to explain Target's actions and response to its holiday-season data breach, Mulligan cited his company's $100 million investment to put EMV technology in place in early 2015, in an item he wrote for The Hill's blog.
Target has a goal of implementing chip-based technology on its proprietary Redcards, Mulligan says.
Target will also support the use of a PIN to authenticate EMV transactions, even though many U.S. issuers are taking a signature-only approach, Mulligan says.
"To be frank, there is no consensus across the business community on the use of PINs in conjunction with chip-enabled cards," Mulligan writes. "But Target supports the goal and will work toward adoption of the practice in our own stores and more widely."
Target had multiple layers of defense, but still came under attack by sophisticated, global criminals, Mulligan says.
Mulligan and Neiman Marcus Group chief information officer Michael Kingston joined others to provide testimony to the Senate committee about the data breaches that occurred at their retail operations. Target reported about 40 million card accounts were exposed in the breach that affected shoppers at its retail stores, with the personal information of 70 million people separately affected. Neiman Marcus reported about 1.1 million credit card accounts were affected in a breach of its own customer data.
In his testimony, Mulligan echoed Target's commitment to chip-based technology and explained the process Target has undertaken since first learning of its data breach in early December. The breach came about from a criminal using compromised vendor credentials to access Target's system, Mulligan said.
"To stop this from happening again, none of us can go at this alone," Mulligan told committee members. "We have an ongoing commitment to making this right."
Neiman Marcus was never a victim of a cyberattack in the past, Kingston says. "But this was an exceedingly sophisticated malware, and investigators told us there was a zero detection rate by the anti-virus software in place."
Despite all of the security layers Target had in place, the company was not aware it had been breached prior to federal investigators informing them of the compromise, Mulligan said.
Committee members said Target's situation would serve as a lesson on the sophistication of cyberattacks.
"We are all trying to find the solutions to this serious problem and need to cooperate on this together," Sen. Chuck Grassley (R-Iowa) said. "This is not government against business."
Regardless, government officials need to understand how they can help provide guidance "rather than cumbersome federal regulation" and help companies be proactive and flexible in data security, Grassley said.