Card Security: Banks, Retailers CollaborateAssociations Join Forces to Help Prevent Retail Breaches
As tensions between bankers and retailers heat up over who should bear responsibility for expenses linked to recent high-profile retailer breaches, the Financial Services Roundtable and the Retail Industry Leaders Association have partnered to address card fraud and emerging cybersecurity risks (see Paying for Target Breach: The Debate). They're also working to build support for a national breach notification law.
See Also: A CISO’s Guide to Defender Alignment
The two groups have launched a collaborative effort that aims to enhance information sharing among organizations in the financial services and retail sectors and explore options for stronger U.S. card security technology and practices.
The RILA already is pushing to accelerate the U.S. migration to chip and PIN technology. While RILA is not necessarily pushing for adoption of chip technology that conforms to the Europay, MasterCard, Visa standard, better known as EMV, the benefits of EMV have been touted by other industry groups and representatives.
"RILA will continue to press the card networks and the issuing banks to migrate to universal PIN security and chip-based smart card technology," the retail organization notes. "In the event of a successful cybersecurity breach, the dynamic security features of such technology effectively prevent the use of stolen data."
The new collaborative effort demonstrates that the retail and banking sectors can work together to enhance cardholder security, in spite of their differences in other areas, such as interchange fees, says Tim Pawlenty, the former governor of Minnesota who now serves as CEO of the Financial Services Roundtable, a banking trade association based in Washington, D.C.
"I think it's fairly unique, in the sense that you have two trade associations that in the past have had some tension," Pawlenty says. But the goal is to create a sustainable relationship that can sufficiently address and react to emerging threats, he adds.
Avivah Litan, a financial fraud analyst for consultancy Gartner Research, says the partnership has the potential to truly enhance threat intelligence sharing.
"It's always good for these parties to have a dialogue," Litan says. "Beyond the threat intelligence piece, I think the main benefit is collaboration, information sharing and networking."
The FSR and RILA, a trade association for the world's largest retail companies, including the recently breached Target Corp., have created a Cybersecurity Leadership Council that also includes representation from a number of other associations. So far, association membership includes representation from the American Bankers Association, the American Hotel & Lodging Association, The Clearing House, the Consumer Bankers Association, the Food Marketing Institute, the Electronic Transactions Association, Independent Community Bankers of America, the International Council of Shopping Centers, the National Associations of Convenience Stores, the National Grocers Association, the National Restaurant Association and the National Retail Federation.
"We had broad aims to enhance cybersecurity, to inform the public and to enhance trust in our payments system," says Sandy Kennedy, RILA's president. "We are all committed to eliminating the mag-stripe [on payment cards], but realize we need system-wide collaboration."
Three key areas of focus have been identified by FSR and RILA as priorities for enhancing card and retail merchant security:
- Encouraging cross-sector information sharing, which builds the upon information sharing model developed by the Financial Services Information Sharing and Analysis Center.
- Reviewing innovative payment technologies.
- Forging partnerships among all stakeholders within the payments ecosystem to address long-term security and fraud threats, such as those within the e-commerce/card-not-present transactions and mobile payments.
Federal Breach Notification Law
Passage of a federal breach notification law is a priority for both collaborating organizations, Kennedy says. "It's very challenging when our retailers are complying with a patchwork of different laws dealing with breach notification."
RILA outlined its argument for national breach notification in a Feb. 3 letter to the Senate's National Security and International Trade and Finance Subcommittee.
"RILA looks forward to working with federal lawmakers and other organizations to develop sound and effective data breach notification and cybersecurity legislation that sets a national baseline to preempt the current patchwork of state laws and support information sharing between the public and private sectors," RILA states in its letter. "By working together with public-private sector stakeholders, our ability to develop innovative solutions and anticipate threats will grow."
Meeting in the middle will have to be a priority for banking institutions and retailers, Kennedy says.
While cynics may see the FSR and RILA's initiative to bring opposing forces to the negotiation table as purely a public relations move, Kennedy says banking institutions and retailers must collaborate to effectively fight today's cybercriminals.
"There's likely to be disagreement on both sides, but that is not what this partnership is about," she says. "This partnership is about enhancing security across the payments ecosystem."
On Jan. 27, RILA announced its Cybersecurity and Data Privacy Initiative, which it also noted in its Feb. 3 letter to the Senate subcommittee.
As part of the initiative, RILA is calling for more collaboration among retailers, banking institutions and card networks to advance improved payments security. Necessary changes noted in the initiative are:
- Retiring magnetic-stripe technology;
- Requiring the input of a PIN for all credit and debit card transactions;
- Establishing a roadmap for migration to chip-based card technology with PIN security; and
- Continuing cross-industry threat-intelligence sharing.
Pawlenty of the FSR says the RILA's initiative fits well with similar initiatives already adopted within the financial services sector.
"We face an array of attacks and the systems are all interconnected," Pawlenty says. "We are all only as strong as the weakest link." Bankers and retailers need to work together to share best practices for managing third-party vendors, securing internal data systems and staying ahead of emerging malware threats, he adds.