According to Kingston, Neiman Marcus' systems exceed the Payment Card Industry's Data Security Standard (PCI-DSS) requirements, a set of security best practices around handling card data.
PCI-DSS does not require encryption of network traffic within a retailer. Data from cards swiped at Neiman Marcus passes through a point-of-sale device's memory, "then is transmitted through an encrypted tunnel to a central point on our network," Kingston wrote.
"The data is then forwarded through a firewall to the merchant payment processor over a dedicated circuit," he wrote.
Kingston described the malware used as "complex and its output encrypted."
Its investigators analyzed the encryption algorithm and created a script that allowed them to decrypt the information it scrambled, which showed "payment card information had been captured," Kingston wrote.
Security experts believe a variant of "Kaptoxa," also called "BlackPOS," was used against Target. The malware was spotted by security companies as early as March 2013. It wasn't clear from Kingston's letter if Kaptoxa is the same malware used against Neiman Marcus.
Sign up for CIO Asia eNewsletters.