Card Breaches: Retailers Doing Enough?Merchant, Banking Groups Clash over Payments Security
The debate over accountability for card fraud has heated in recent weeks between leading retail and banking associations.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
In the latest exchange, the Retail Industry Leaders Association and a handful other retail groups sent letters to leading executives at the Credit Union National Association and the National Association of Federal Credit Unions, rejecting claims that retailers are not held accountable for breaches, and that retailers' poor security practices are most-often to blame for the compromise of card data.
RILA says U.S. merchants have not been negligent when it comes to security: Many retailers diligently work to enhance point-of-sale security and collaborate more with bankers to shore up payments security overall.
But most banking experts agree poor retail POS security is primarily to blame for recent breaches, such as Target, P.F. Chang's, Home Depot and Kmart.
Still, enhancing security around the overall payments infrastructure must be a shared responsibility between merchants and banking institutions, the banking experts say.
The issuance of chip cards, for instance, and the deployment of POS terminals that comply with the Europay, MasterCard, Visa standard are musts, says Tom Kellermann, chief cybersecurity officer for Trend Micro, a security software and cloud-services provider. Bankers and retailers play a role, he says.
"The retailers have inadequate security, but the banks should deploy chip and PIN," Kellermann says.
The Most-Oft Breached?
Quoting the 2014 Verizon Data Breach Investigations Report, RILA says less than 11 percent of the 1,367 data-loss incidents investigated by Verizon last year involved retailers.
But other data breach reports show very different trends. On Oct. 28, the Identity Theft Resource Center issued its most recent Data Breach Reports, a compilation of recorded data breaches collected by the ITRC over the course of the year.
The ITRC found that 34.9 percent of the 636 breaches reported from January through Oct. 27 occurred at businesses, while only 3.8 percent occurred at banks or credit unions. Among the breached businesses that made the list, the majority are retailers and restaurants.
Other breached categories include education, government and military, and medical, which account for 42.1 percent percent of the 626 breaches.
Who Pays for Breaches?
On Oct. 30, CUNA released results from a survey of its members showing that fraud losses and breach-recovery expenses associated with Home Depot cost credit unions more than Target's breach (see Home Depot Breach Cost CUs $60 Million and Accountability for Third-Party Breaches).
While the card brands, in some cases, do reimburse credit unions and banks for portions of what they dole out to cover fraud losses and card-reissuance, CUNA spokeswoman Vicki Christner says those reimbursements could take months, even years, to be paid.
Credit unions that suffered fraud losses and card-reissuance expenses in the Target breach have yet to be paid - some 10 months after Target's compromise was discovered, she says.
"What we do know is that credit unions have already paid at least $90 million this year to cover the costs of data breaches at Target and Home Depot - and there have been additional massive data breaches at [allegedly] Staples, Supervalu, Jimmy John's and others, which will only add to the $90 million cost credit unions are facing," Christner says.
To put that $90 million cost in perspective, the latest annual report published by the National Credit Union Administration shows federally insured credit unions earned $8.1 billion last year, meaning the $90 million represents slightly more than 1 percent of net income.
But RILA argues that merchants pay for the cost of card fraud, in an indirect way, by paying "swipe" fees for debit and credit transactions (see Court Ruling: A Fraud Prevention Boost?).
RILA says these fees are set by Visa and MasterCard, and that "merchants do not have a say in these reimbursement requirements."
Reimbursement Fees Not Enough
Still, numerous banking groups, including the Independent Community Bankers Association, say the recovery fees required by the card brands cover only pennies on the dollar of the losses that card issuers actually suffer.
Recovery allocations provided through the card networks vary widely, says Viveca Ware, executive vice president of regulatory policy for the ICBA. "Restitution is only available when the networks agree a certain breach is eligible for the [recovery] program," she says, in a February interview with Information Security Media Group. "Typically, they are of a massive scale, like the T.J.Maxx breach."
"There is no easy answer," she adds. "This is such a complex issue," because Visa and MasterCard each have individual recovery programs that are based on different criteria.
Holding Retailers Accountable
Carrie Hunt, NAFCU's general counsel and senior vice president of government affairs, says retailers have little incentive to improve security and prevent breaches.
"There is no federal standard for retailers, relative to the safekeeping of financial information akin to the regulations credit unions must comply with as outlined in the Gramm-Leach-Bliley Act (1999)," Hunt says. "We support advances in technology, like the move to EMV chip and PIN; but unlike the retail industry, we do not believe this is a holistic solution."
Chip card cannot be counterfeited like the legacy magnetic-stripe cards that still dominate the U.S. market. But chip card technology will not stop breaches, Hunt says.
"All entities handling financial data should have safekeeping and breach notification standards in place - chip and PIN can help with counterfeit card fraud, but that is not enough," she says. "For example, chip and PIN would not have prevented the Target breach."