Finger-Pointing at Breach HearingRetailers, Banks Debate Card Security Issues
See Also: Data Center Security Study - The Results
"Chip and PIN is much more effective than what we have presently in the U.S. with the swipe system," said Sen. Mark Warner, D-Va., chairman of the Senate Banking Committee's Subcommittee on National Security and International Trade and Finance, referring to magnetic stripe cards now in use. "But we shouldn't assume any single technology is a silver-bullet solution."
Mallory Duncan, general counsel for the National Retail Federation, testified that mag-stripe cards are outdated. "Fraudsters rely on our system being so porous. What's needed is for networks and banks to issue cards that are not so easily compromised," he testified.
Chip card technology used throughout Europe and other parts of the world, including Canada and Mexico, adheres to what is known as the Europay, MasterCard, Visa standard. The standard, which was developed in the 1990s, was implemented to reduce fraud on transactions made in-person at the point of sale.
EMV, as it's better known, is widely regarded as being more secure than mag-stripe card technology. EMV cards contain embedded microprocessor chips that store, transmit and process encrypted information, so transactions made using the cards cannot be skimmed at the point of sale.
The card networks are pushing U.S. issuers and merchants to move toward EMV by setting loose deadlines for liability shifts to take effect in October 2015. Fraud that results on a mag-stripe card after that date will be the responsibility of the merchant, if the merchant is not EMV compliant, or the issuer, if the card only contains a mag-stripe.
Lamenting Slow Pace
Sen. Elizabeth Warren, D-Mass, offered her take on the state of EMV migration: "Banks have delayed; retailers have delayed; the government has delayed. Consumers have paid the price."
When it comes to improving security, "EMV chip is an extremely effective method in face-to-face environments," testified Troy Leach, chief technology officer at the PCI Security Standards Council. "But EMV is only one piece. Additional controls are needed."
When pressed for their opinion on moving to EMV cards by Sen. Warner, all those testifying expressed their support for a move to chip cards. While some favored using EMV cards in conjunction with a PIN, others argued for using the cards with a signature.
On Feb. 3, Target CFO John Mulligan, in an opinion piece in the Hill newspaper, outlined the company's initiative to implement the use of chip-enabled smart cards for its proprietary REDcards by early 2015."At Target, we've been working for years towards adoption of this technology," Mulligan wrote. "Since the breach, we are accelerating our own $100 million investment to put chip-enabled technology in place."
Call for Collaboration
Sen. Warner called for collaboration on the current security issues facing banks and retailers.
"It's my strong hope that as we approach this issue, we recognize that rather than pointing blame at each other, the only way this is going to work is for the banking industry and retailers to collaborate together," he says.
Yet finger-pointing was evident throughout the testimony given before the Senate panel.
"Retailers would rather pass the burden onto banks rather than taking reputational hits themselves [for data breaches]," said James Reuter, executive vice president at FirstBank, speaking on behalf of the American Bankers Association. "In such cases, banks are put in a position of notifying customers of a breach without being able to divulge where the breach occurred."
But Edmund Mierzwinski, consumer program director for the U.S. Public Interest Research Group, noted: "Merchants are being asked to add bells and whistles to an obsolete system from the mid-20th century."
Sen. Robert Menendez, D-N.J., noted: "Banks say retailers should have more liability. Retailers say banks should have more liability. The only entity that's getting screwed is the consumer."
Menendez warned against requiring banks or retailers to use a technology that, over time, could become obsolete.
"We have to have a different paradigm as to how we get [to increased security]," he said. "It seems to me that creating some type of standard that doesn't lock you into a technology that in time may be a dinosaur, but does ultimately create a standard of responsibility, is important for banks and retailers."
Menendez also claimed that the risk of breaches is increasing because "companies are collecting, storing and processing information often against consumers' wishes or without their knowledge."
Increasing FTC Enforcement
During her testimony, Jessica Rich, director of the Bureau of Consumer Protection at the Federal Trade Commission, showed support for adopting federal standards around data security and breach notification. Several bills calling for such standards are pending before Congress (see Yet Another Data Breach Bill Introduced).
"Right now, there are state laws, but no standard at the federal level, and no civil penalties," she says. "We have tools and are using them to address failures, but it would be extremely helpful to have a federal law requiring security."
Sen. Warren said the FTC has settled only 30 cases since 2002 involving claims against organizations for unfair or deceptive practices. "That would be about three per year," she says. "I think it's fair to say that's not many, given the number of breaches we've seen over the last decade."
Mierzwinski also advocated providing the FTC with increased authority, "including the right to issue civil monetary penalties," he says.