Breach hearings: How did security fail?

February 8, 2014 by Credit Union InfoSecurity

Testimony Before Congress Reveals Encryption Gaps

by. Tracy Kitten

Encryption gaps in retail payment card transactions were highlighted at a U.S. House hearing Feb. 5 called that examined security in the aftermath of malware attacks against point-of-sale systems at Target Corp. and Neiman Marcus.

At the hearing of the Energy & Commerce Committee’s Subcommittee for Commerce, Manufacturing and Trade, executives from Target and Neiman Marcus testified that their breaches occurred when data from the magnetic stripes on credit and debit cards was collected in the clear at the point of sale before being encrypted as payment transactions were processed.

“Mag-stripe data was compromised prior to encryption within our system,” John Mulligan, Target’s executive vice president and CFO, testified. “Data comes into the point-of-sale systems from the mag-stripe unencrypted.”

Michael Kingston, senior vice president and CIO at Neiman Marcus, described the same scenario. “The information was scraped immediately following the swipe – milliseconds before sent through encrypted tunnels for processing,” he testified.

Data in Clear Raises Concerns

Why card data is at any point during the transaction potentially visible to fraudsters is perplexing, said Rep. Marsha Blackburn, R-Tenn. Even if companies are adhering to mandated industry security practices, such as compliance with the Payment Card Industry Data Security Standard, they can still be breached, she noted.

Breach hearings: How did security fail?

Featured

Best advice for your career: Run YOUR race

Why connecting with Gen Z and Millennial credit union members is crucial

Rethink your marketing for the digital age—Embedded finance is key

Leadership is lonely—but you are not alone

Stay connected to the credit union community with our free newsletter!

You have Successfully Subscribed!