WASHINGTON -- Target CFO John Mulligan appeared before a U.S. Senate committee this morning to express that the retail giant was "deeply sorry" for losing 110 million customer records to hackers.
"We will learn from this incident and, as a result, we hope to make Target, and our industry, more secure for customers in the future," he said.
Mulligan is right about lessons to be learned. And let's hope that these public disclosures of the scale of daily cybercrime will help to accelerate tougher industry security rules, perhaps backed by new consumer protection laws.
Sterne Agee analyst Vijay RakeshVijay Rakesh attended a Monday hearing at which financial industry analysts painted the wider context for lawmakers. Rakesh shared what he thought were the big big takeaways:
Data breaches hit the bottom line hard. It will cost Target, Neiman Marcus and Michaels, and/or their banking partners, $5 to replace each standard credit card account with a new account number and plastic. That's $550 million if Target has to replace 110 million cards. That doesn't count any penalties, credit watch expenses, law suit settlements and beefed up cybersecurity systems.
Debit cards are more risky and have less protection. Lawmakers heard about the convergence among credit and debit card standards, and panel members expressed the belief that debit card safety should be just as important as credit card safety. This could boost the potential tailwind for rapid and wide U.S. adoption of smart payment cards, using EMV Chip & Pin systems.
Magnetic striped cards must go.
Some odd, definitely insecure practices add to consumer risk. Card issuers have told retailers they are not allowed to deny a sale to a consumer based on a signature that doesn't match the signature on the back of their card. It also violates current standards to ask for additional ID at the point of sale. Chip and Pin adds a significant layer of protection to any credit card.
Meanwhile, antivirus giant Symantec showed up at this morning's hearings to add its two cents. Fran Rosch, Symantec's senior vice president of security products, testified that sophisticated hacks of point-of-sale systems is not new, but that the pace is increasing.
"The increase in successful attacks brings with it media attention and citizen concern, but it is critically important that the public conversation we are now having not just be about one attack or one company," Rosch said. "Every retailer is at risk, and over time we often learn that the most widely reported victim was not the one hit hardest. So the conversation should be about breaches – plural – not just one breach; it should be about how they are happening, how government can go after the sophisticated criminal enterprises that steal the data, and what organizations can do to prevent and minimize the risk of a successful attack."