Retail Breaches: End the Finger Pointing
Why Regulators Need to Hold Card Brands AccountableComments made this week by a banking regulator about the need for retailers to bear responsibility for card breaches have spurred debate.
See Also: How to Take the Complexity Out of Cybersecurity
Rick Metsger, vice chairman of the National Credit Union Administration board, noted at the NCUA's annual Governmental Affairs Conference in Washington that cyber-attacks waged against financial services and payments systems had reached "epidemic proportions."
What's more, he said retailers are most often to blame for increasing cyber-risks - an ironic statement coming from a regulator that took responsibility for the breach of consumer data exposed during a routine exam last year (see Agency Takes Responsibility for Breach).
"The old retail motto, 'You break it; you buy it,' should apply here," Metsger said in comments about merchants bearing responsibility. "When lax security by a retailer results in a data breach and necessitates the need to replace cards, open new accounts, or provide credit screening, the responsible party - the retailer - should shoulder the cost, not your credit union."
Twelve months ago, shifting blame onto the retailers may have sounded like a valid argument. Today, it's an outdated perspective.
Critics say rather than pointing fingers, federal regulators need to play stronger leadership roles in helping banking institutions and merchants figure out how they can work together to curb fraud.
William Murray, an information security and technology consultant, sums it up best when he says that simply making merchants pay more for fraud and breach resolution is not solving the core problem - a broken payments infrastructure.
"It is interesting that a regulator wants to blame the merchants, rather than the [card] brands and big issuers," Murray says. "[Regulators] see the problem as merchant breaches, rather than that the system is broken."
Murray attended Information Security Media Group's Fraud Summit in Los Angeles on Feb. 24, when merchant security responsibilities were heavily debated (see EMV Migration: The Merchants Fight Back).
"I have sympathy for the credit unions," Murray says. "However, piling more cost on the merchants is not going to fix anything. There was general agreement at the Fraud Summit that the merchants did not cause this problem and cannot fix it."
Merchants Pay, Too
We all have sympathy for smaller financial institutions faced with considerable expenses tied to retail breaches. Community banks and credit unions have been outspoken about the need for retailers to enhance their network and point-of-sale security, noting that when retailers are breached, banks and credit unions have to absorb most of the losses.
But keep in mind that merchants also face signficant security-related expenses. In addition to costs related to PCI compliance, they also pay fees, such as for interchange, to payments processors and the card brands (see Court Rules in Favor of Breached Retailer). In the wake of a breach, those transaction fees are supposedly used to help reimburse issuers for losses and expenses they may have suffered.
As card breaches have become more prevalent, it's obvious the banks and credit unions aren't seeing as much reimbursement from the card brands as they'd like (see Compensating Banks for Breaches).
Card Brands' Role
So that leaves us with a glaring question no regulator has wanted to ask: What are the card brands going to do to ensure merchants are secure and breach-related losses and expenses are covered?
This is where regulators need to step in by holding the card brands more accountable.
"If he [Metsger] wants to be relevant, he should put his weight behind a call to the [card] brands for systemic change, not carping at the merchants," Murray says. "His sympathy for those he regulates and his scorn for the merchants may be popular rhetoric for this audience, but it is otherwise irrelevant."
Former NCUA Chairman Michael Fryzel says simply: "A lot more dialogue is needed. If the problem is as serious as NCUA has said, that dialogue must take place now, with the determined steps to be implemented as soon as possible."
A Collective Effort
More dialogue may very well be on the way. Metsger hints in his comments that regulators understand they need to play a more prominent role.
"We must all realize that this problem is national in scope," Metsger says. "It will continue to morph into new challenges and call for new safeguards. Both the regulator and regulated must be vigilant at every level to confront cybercrime. All of us have a role."
But the role of card brands, in particular, needs to be more clearly spelled out.