Perspective: Payment system security needs less talk, more action

Finger-pointing between retailers and banks in wake of Target breach a symptom of the problem; Congress likely to step in

Retailers and banks must move quickly to figure out who should be responsible for better securing the payments system network or risk having Congress decide for them.

In the weeks since a massive data breach at retailer Target, banks and retail industry groups have been ferociously blaming each other for not doing enough to prevent such hack attacks. The latest debate continues a longstanding feud that has stalled progress on efforts to improve credit and debit card security.

Both sides need a change in attutude.

The American Bankers Association (ABA), Credit Union National Association (CUNA), the National Association of Federal Credit Unions (NAFCU) and others have renewed calls for regulations that would require retailers to implement stronger data security controls.

"When a retailer like Target speaks of its customers having 'zero liability' from fraudulent transactions, it is because our nation's banks are providing that relief, not the retailer that suffered the breach," ABA president Frank Keating said in a letter to Congress earlier this month.

In an opinion piece posted on AmericanBanker.com, last week, NAFCU CEO Dan Berger chided retailers for downplaying their role in safeguarding sensitive customer data.

The Gramm-Leach Bliley Act for years has required that banks and credit unions implement strong data security controls, he noted, and now it's time to implement similar rules for retailers. "If retailers want to reap the rewards of consumer sales, they should also take an active role in protecting their data," Berger said.

According to CUNA, credit unions to date have so far spent more than $30 million to recall and reissue credit and debit cards impacted in the Target breach. When fraud related costs are factored in, credit unions could end up paying a much higher price for Target's folly, according to the association.

"Contrary to what some may think, these expenses will not be reimbursed to credit unions and their members by Target or other retailers," CUNA President and CEO Bill Cheney said in a statement "Rather, credit unions must solely cover these costs of their card program administration, including in these circumstances of reacting to a merchant data breach."

Meanwhile, the influential National Retail Federation (NRF) deftly responded by placing the blame for breaches on card technology used by banks and credit unions around the U.S.

"For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN and Chip card technology for customers in Europe and dozens of other markets," NRF President and CEO Matthew Shay said in a letter to two lawmakers this week.

Retailers are ready and willing to make the switch to PIN and Chip cards, but banks have dragged their feet, Shay contended. "The fact remains that retailers cannot do this alone."

Disagreements over who should shoulder responsibility for data security have become de rigueur after every major breach over the past few years. The same questions and concerns voiced after the Target breach were also aired after a major breach at TJX more than five years ago.

Retailers continue to insist they are doing all they can to keep customer data secure, while banks have claim they must bear too much of the costs of retail security breaches. Efforts to close the gap have see little real progress over the past several years.

Retailers, especially big ones, must focus most of their information security efforts on compliance with the Payment Card Industry Data Security Standard, a set of security requirements mandated by Visa, MasterCard, American Express and other credit card associations.

The PCI standards aim to get retailers to adopt best practices for protecting credit and debit card data. Over the years, compliance with the standard has become the security end goal for many retailers. Target and other top retailers have spent tens of millions of dollars on ensuring PCI compliance over the past few years.

The payback on these investments have to date been somewhat mixed.

Retailers continue to remain huge targets for data thieves. The Target breach alone resulted in the compromise of more than 40 million credit and debit cards and the exposure of personal data from some 70 million more people. At least three other retailers, including Neiman Marcus, were recently compromised in similar fashion.

Data breaches in recent years have forced retailers to pay tens and even hundreds of millions of dollars in remediation, legal and other costs.

Still, the payment card industry does not have so much as an information sharing and analysis center for disseminating malware and threat-related data like almost every other major sector does.

Several PCI-compliant companies have suffered breaches, raising questions about the effectiveness of the standards, which critics say has failed to keep up with fast evolving security threats.

Gartner analyst Avivah Litan noted in a blog post this week that nothing in the PCI standard would have helped Target detect the malware used to attack its point-of-sale system network.

Other efforts to improve payments systems security, such as end-to-end encryption and tokenization of payment card data, have also had limited success because of relatively low adoption levels. Retailers who have adopted such measures sometimes claim they are forced to decrypt data before sending it to their bank.

Banks have also continued to drag their feet on chip and PIN technology.

Organizations like CUNA have been quick to note that updated technology, also known as Europay MasterCard Visa (EMV) smartcard, would likely have done little to stop the Target incident.

Even so, EMV is widely considered better than the magnetic stripe technology used to encode data in most credit and debit cards issued in the U.S., which is one of the few countries not to adopt EMV.

The NRF insists that retailers are ready and willing to make the investments necessary to switch to the EMV standard. But banks have so far at least not been willing to make the switch.

The scope of the Target breach drew the attention of lawmakers. Members of the House Financial Services Committee have called for a hearing on the breach to look into what might have happened and to figure out if new data protection mandates are needed for retailers.

While the ABA, CUNA and other banking groups would welcome such federal intervention, it could spell trouble for retailers.

In the aftermath of the TJX breach back in 2007, some lawmakers wanted to require that retailers implement data security standards similar to those imposed on financial services companies.

Retailers argued then that such measures aren't needed because the data they handle is far less sensitive than that maintained by banks and other financial institutions. Even so, there's a real risk that the breach will prompt Congress to significantly expand the scope of mandated data protection requirements.

It's now time for an industry-wide discussion on data security, says Cathy Hotka, a long-time retail consultant who helped set up the CIO Council at the NRF years ago.

Ten years ago, a Target-like breach would have been seen as an unfortunate one-off incident, Hotka says.

These days, she said, "We know there are these spectacularly sophisticated tools that bad guys can use to gain access to any network. They are vastly better equipped than they used to be [so] the time for action is now."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Tags privacyTargetCybercrime and Hacking

Show Comments