Target is a retail behemoth well-rooted in the Minneapolis area as one of the biggest IT employers for the region.  As Target continues its efforts to rebound from the massive retail security breach late last year, it has made a couple of key announcements towards these goals.  These appear to be significant movements in the right direction of the company rebuilding its security operations and recovering from one of the most horrific retail breaches in recent memory.

• New CIO – an outsider

Yesterday Bob DeRodes was announced as the company’s new chief information officer (CIO), effective May 5.  DeRodes is an industry veteran who comes from outside the Target organization and the Minneapolis area.   This is a bit of a departure for the company, which is well known for promoting from within.  DeRodes brings with him a range of experience in finance, airline and retail environments that should prove valuable to Target.

2015: New MasterCard chip-and-PIN technology

Prototype of Chip-Enabled Target REDcards

The other major Target news to come out is that in early 2015, the entire spectrum of REDcard brand cards, including Target-branded credit and debit cards will integrate chip-and-PIN technology from MasterCard.  This is a significant security-minded upgrade in an industry that has thus far favored the ease of card swipe technology in the US.

The up-front cost will likely be significant, as new payment terminals in all 1,797 US stores are slated to be upgraded by September of this year and all existing cards will be replaced with the more expensive, upgraded cards.  Target is most likely looking beyond those costs in regaining consumer confidence and better protection against such issues in the future.

Generally when a major security incident has happened, you find out a lot about what went wrong and what can be improved after the fact.  Such is the case here.  In the wake of the massive data breach, the company has reportedly stepped up its security focus throughout its operations.  Highlights of these efforts in Target’s official statement include:

 .

• Enhancing monitoring and logging
• Installation of application whitelisting point-of-sale systems
• Implementation of enhanced segmentation
• Reviewing and limiting vendor access
• Enhanced security of accounts

 .

Finding the right talent

The DeRodes hiring is just one further step in this significant response, as the company is still looking for a chief information security officer (CISO) and a chief compliance officer. Notably, when the breach happened the company did not have a CISO in place.  This is a critical role in sensitive organizations and it would appear that Target is looking for that right talent for a largely unprecedented situation.

The hunt for a chief compliance officer also indicates the strenuous demands of the situation when it comes to Payment Card Industry – Data Security Standard (PCI-DSS).  Violations of this compliance standard that may have allowed this breach to take place have not fully played out in public thus far, and it may be some time before it is all clear.  However, it is clear that given the recent revisions of the regulation known as PCI-DSS 3.0, and the fact that there may be more self-imposed and regulatory scrutiny in maintaining this certification, this will be a tremendous undertaking for both roles.

You may recall that soon after the breach hit the news, Target CEO Gregg Steinhafel, a long-time veteran of the company, made a number of public appearances apologizing for the matter and stated that actions were being taken to correct the problems. Many pundits were critical of the amount of information coming out at the time, including the security editor writing this article.  Needless to say, here we are a hundred days or so later and there have been significant improvements in technology, process and personnel.  I tip my hat to Steinhafel, Target and eat said hat.

photo credit: Hindrik S & JeepersMedia via photopin cc; Target