WASHINGTON — A top executive of Target told a Senate committee on Tuesday that the company was accelerating plans to adopt a technology widely used in Europe but rare in the United States that reduces potential for credit card fraud, and lawmakers from both parties called on other businesses to do the same.
The session, a Senate Judiciary Committee hearing on privacy in the digital age, was the first time that executives from Target and Neiman Marcus have been subject to detailed public questioning about the detection and handling of the recent data security breaches that exposed the data of millions of customers.
John J. Mulligan, Target’s chief financial officer, confirmed that the data thieves gained entry to Target’s system by stealing an outside vendor’s credentials, and he disclosed for the first time that Target found malware on 25 registers three days after the company thought it had removed the threat from its system.
Michael R. Kingston, chief information officer of the Neiman Marcus Group, spent much of his testimony going over the time frame that led to public disclosure of his company’s breach on Jan. 10, some six months after it began last July. He said the malware that infiltrated the company’s system was “exceedingly sophisticated,” that it had a “zero percent detection rate” by antivirus software, and that the company had first learned of a possible breach when MasterCard contacted it on Dec. 17 to say that 122 of its cards that had been used fraudulently had also been used at one Neiman Marcus store.
The breaches have unsettled consumers, and left many angry and uncertain about the safety of their personal information. The incidents have reignited calls for federal legislation setting database security standards and consumer notification requirements.
“These stores are a major part of our economy,” said the committee chairman, Sen. Patrick J. Leahy, D-Vt. If consumers don’t trust businesses to keep their data secure, he said, “our economic recovery is going to falter.”
Much of the discussion focused on a technology widely used in Europe called EMV that basically amounts to a small chip embedded in each card (rather than a magnetic stripe) that creates a new code for each transaction. This makes it nearly impossible to counterfeit cards, though the card data itself can still be taken.
The United States has been far slower to adopt the technology in part because retailers have been reluctant to spend the money to replace current card-processing machines.