Retailers and bankers traded jabs through their trade associations this week, each blaming the other for data breaches that occurred at Target and Neiman Marcus.
On Tuesday the National Retail Federation sent a letter to House Speaker John Boehnert (R-OH) and Senate Majority Leader Harry Reid (D-NV) urging passage of a cyber-security law and implementation of PIN and chip technology to avert future breaches such as the ones that affected an estimated 110 million shoppers at Target and one million customer of Neiman Marcus. In so doing, NRF placed the blame squarely on the shoulders of financial institutions.
“For years banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next generation PIN and chip card technology,” charged the letter, which called for card-issuers to invest in technology to “secure sensitive bank card data.”
In return, the Independent Community Bankers of America expressed “shock and outrage” over the retailers’ assertions. “The NRF should focus its attention on responding to the harm that security breaches at several retailers have done to consumers and their financial institutions rather than hurling false allegations blaming the banking industry for these retail breaches,” ICBA President and CEO Camden R. Fine said in the statement. “Retailers and their processors—not banks—are responsible for the systems in their stores that process payment cards.”
ICBA had earlier sent letters to members of Congress, urging that liability for such data breaches should be assigned to the party responsible for compromising consumer information, “be it a retailer, data broker, financial institution, or other entity.” The NRF’s letter prompted ICBA’s riposte, which essentially clarified its position that, in the cases of Target and Neiman Marcus, bankers felt that retailers were the guilty party.
The bankers are on the right track, according to the leader of a nonprofit that seeks to create best practices for data security and privacy. “I don’t want to point a finger at Target, but there were questions about their customer data leaking and even their email lists,” says Craig Spiezle, president of the Online Trust Alliance (OTA). “It’s very much one of the principles of security that different data sets should be isolated from one another. Something had to have happened, like a rogue employee for instance, for all that customer data to get out.”
OTA backers include such organizations as Epsilon, Microsoft, PayPal, Responsys,Return Path, and Symantec.
Retailers are sensitive to this issue because the cost to them is substantial. Financial institutions do not charge credit card holders for fraudulent purchases made with stolen cards, but somebody has the pay the bill, and that ends up being retailers, which are hit by the banks with what are called “chargebacks.”
The PIN and chip credit card system, otherwise known as EMV (Eurocard, Mastercard, Visa), is an accepted global security standard in which purchasers insert their cards into readers and input a personal ID number before the transaction can go through. Financial institutions have charged retailers with installing PIN and chip technology by the end of 2015. Those who do not comply will be liable for chargebacks.
Spiezle and the OTA hold that both parties in the transaction have a shared responsibility to protect the sanctity of their own first-party customer data. “It’s not the time for finger pointing; it’s time for stepping up to the plate and doing risk assessment on how to avert fraud,” Spiezle says. “Cyber criminals are tenacious and innovative. They’re looking at these industries fighting with each other and they’re enjoying it.”
The OTA this week released its free 2014 Data Protection & Breach Readiness Guide, which notes that 30% of the biggest data breaches occurred last year and that 89% of them could have been avoided with proper planning and controls.