Retailers, card issuers share data breach troubles with Congress

By Erin Ayers on May 17, 2015

house_of_representatives_seal

Retailers told members of a congressional panel last week that rather than banks feeling the brunt of costs from data breaches, affected companies experience many costs related to cyber attacks.

The United States House of Representatives’ Financial Services Committee held a hearing to address consumer protection efforts amid more a perilous information security environment, focusing on data security enhancement and the shift to more secure credit and debit card technology.

Brian Dodge, executive vice president for the Retail Industry Leaders Association (RILA), told members of the Committee, “One area of security that needs immediate attention is payment card technology. RILA members have long supported the adoption of stronger debit and credit card security protections. The woefully outdated magnetic stripe technology used on cards today is the chief vulnerability in the payments ecosystem. This 1960s era technology allows cyber criminals to create counterfeit cards and commit fraud with ease. Retailers continue to press banks and card networks to provide US consumers with the same Chip and PIN technology that has proven to dramatically reduce fraud when it has been deployed elsewhere around the world. According to the Federal Reserve, PINs on debit cards make them 700 percent more secure than transactions authorized by signature.”

Dodge added that retailers are contractually obligated to pay per card swipe to account for future breaches, even if none occur.

“Card issuers are compensated for card reissuance costs even if no fraudulent activity has actually occurred on the account,” he said, citing an estimate of $50 billion annually.

Jason Oxman, CEO of the Electronic Transactions Association (ETA), said that rather than stalling, payment entities have been pushing for more secure methods, i.e. EMV or chip-and-pin, for years.

“To incentivize more rapid migration to EMV adoption, the payments industry faces an October 2015 liability shift for their card transactions, at which point any participant in the transaction chain who is not EMV compliant will be responsible for any resulting fraud,” he said. Oxman told representatives that secure card transactions are overwhelmingly selected by consumers instead of cash or checks in large part because they do not have any liability for fraud.

The Committee also heard from the PCI Security Standards Council, which promulgates payment card compliance standards. The group’s general manager, Stephen Orfei, noted that a March report from Verizon found that of all the retailer breaches that occurred in 2014, none were found to be compliant with PCI data security standards.

“Recent breaches at retailers underscore the complex nature of payment card security and the need for ongoing vigilance. A complex problem cannot be solved by any single technology, standard, mandate, or regulation. It cannot be solved by a single sector of society business, standards-setting bodies, policymakers, and law enforcement — must work together to protect the financial and privacy interests of consumers,” said Orfei.

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].