Compensating Banks for Breaches
'Retailers Should be Responsible for the Fallout'A retailer should help pay for payment card re-issuance and other expenses after a breach if the merchant is shown to have had inadequate security measures in place, says Viveca Ware of the Independent Community Bankers of America.
"This is a very complex industry issue, but we believe, in general, that where there is a party that has not performed as expected - and that seems to be the case in these recent [retailer] breaches - we would like to see community banks be compensated appropriately rather than absorbing the cost to protect their customers," Ware says in an interview with Information Security Media Group (transcript below). "Merchants benefit from the acceptance of payment cards, and they certainly should be responsible for the fallout resulting from breached payment card information."
As retail breaches, like the ones suffered by Target Corp. and Neiman Marcus, have become more common, recovery expenses have become burdensome, especially for smaller institutions, Ware says.
During this interview, Ware discusses:
- The need for federally mandated breach notification, which would include immediate notification to card issuers possibly affected by a network compromise;
- Why smaller banking institutions need help to recover losses; and
- The message some banks are sending by suing retailers to recoup some of their losses.
Ware is executive vice president of regulatory policy for the ICBA. Before joining ICBA more than 20 years ago, she served in various management positions at Southwestern Virginia Community Bank. Ware also is the recipient of the Department of Treasury's Certificate of Appreciation for Distinction in Payments Management.
Cost of a Breach
TRACY KITTEN: On average, how much does a typical retail breach cost a banking institution?
VIVECA WARE: It's difficult to quantify the cost. To state it as an average cost there are a lot of variables, but let me say that there are two measurable costs related to a breach. First, you have the cost of card reissuance, which will depend on the number of cards each institution has to reissue. They pretty quickly know that cost. Secondly, you have fraud cost, which may take months to surface. Then of course, the cost of impaired consumer confidence in the payment system is immeasurable.
Costs for Community Banks
KITTEN: Would you say that cost for community banks vary from other banking institutions?
WARE: We think that this range of $10 to $15 is typical for community banks and other small issuers such as credit unions. This estimate includes a lot of different components, such as the cost of new plastic, embossing and encoding the new card, new account set-up fees, the associated processing fees, the envelope and postage, blocking the old account, transferring balances from the prior account to the new account, and making sure that legitimate transactions are also transferred to the new account. Then you have the new PIN mailer, which is a separate envelope or mailer and postage. You have card activation and card holder notifications. The cost for a community bank and other smaller issuers will certainly be higher than some of your largest institutions, just because they don't have the same economies of scale.
Recovering Losses
KITTEN: When it comes to these expenses associated with fraud, how are banking institutions recovering their losses now?
WARE: It's important to remember that banks and card issuers have the responsibility for providing their customers with zero liability protection. Banks take the brunt of the losses and operational cost. There is essentially very little they can recover, however Visa and MasterCard do have programs that enable issuers to recoup a portion of losses and operational expenses related to mag-stripe counterfeit fraud losses. This restitution is only available when the networks declare that a particular breach is eligible for the program. Each association or card network has their own criteria for determining whether or not they are going to declare a particular breach an event that would be eligible. But again, the restitution of the recovered amounts are just really small in comparison to the cost and fraud losses and the immeasurable cost of payment system reputational damage.
KITTEN: Could you give an example maybe of a breach that would be eligible?
WARE: Typically they are of massive scale. I believe the TJ Maxx breach a few years ago in 2009 [is one]. ... This is all governed by Visa and MasterCard rules. American Express and Discover don't have a similar program in place. They issue their own cards at the corporate level so there are no financial institution issuers, but there is just not a simple answer.
KITTEN: Does recovery hinge solely on the card brands?
WARE: It really does, because the two card brands, Visa and MasterCard, do have the recovery plans in place. Any costs that aren't covered by the card brands are absorbed by community banks and other issuers.
Cost to Retailers
KITTEN: What is the cost to retailers, especially when it comes to fraud, when a card is compromised?
WARE: The retailers don't incur cost related to fraudulent specific transactions. Instead, their costs are really internal, the cost that they would incur to complete the forensic examinations or investigations; the implementation of any necessary system changes; customer communications and reputational damage. But they don't pick up any of the cost related to the transactional fraud resulting from the breach.
KITTEN: What would the ICBA like to see happen where some of this responsibility might fall onto the retailers?
WARE: We recognize that when there is ever a breach of this magnitude, that expenses can be significant for community banks. This is a very complex industry issue, but we believe, in general, that where there is a party that has not performed as expected - and that seems to be the case in these recent breaches - we would like to see community banks be compensated appropriately rather than absorbing the cost to protect their customers. Merchants benefit from the acceptance of payment cards, and they certainly should be responsible for the fallout resulting from breached payment card information.
ICBA and Lawsuits
KITTEN: How does the ICBA feel about banking institutions that have recently sued retailers, such as Target, to help recover some of their losses?
WARE: That is a tricky question and it is difficult to say. Litigation can be a very lengthy, protracted process, and the outcome is uncertain. However, community banks who have decided to sue or will decide to sue are certainly putting a stake in the ground by saying [they] won't tolerate this. They are sending a strong message to the retailers, and hopefully they will take heed to the message and take the appropriate steps to protect the customer information.
Regulatory Oversight
KITTEN: How does the regulatory oversight of banking institutions compare to that of retailers?
WARE: Oh there is no comparison. Retailers have no oversight when it comes to ensuring the safety and soundness of the payment system, and we think that needs to be changed in order to protect consumers. As you mentioned, banks are covered by the Gramm-Leach-Bliley Act of 1999, and that imposes wide-ranging requirements for protecting consumer information. Of course when there is a breach, it also has specific notification requirements, and financial institutions are examined for their compliance with these requirements on a routine basis, as well as their major data processers. Retailers just don't have that type of oversight.
KITTEN: What is the ICBA pushing for relative to more regulatory oversight for retailers?
WARE: We feel that there should be a standard [federal] requirement for breach notification. Right now, I believe there are 46 state laws in place that have different requirements. We also believe that the party who has experienced the breach should be responsible for making others whole, and that would include financial institutions. Also we think that there needs to be a stronger information sharing requirement, and that requirement would extend to the public and private sectors, but also between the different private sector segments like the banking and retail industries. If the retailers have information about a potential compromise that would affect the banking industry and their customers, then they should be required to share that information.
Banks' Responsibility
KITTEN: What about the responsibility that banking institutions have where oversight of retailers is concerned?
WARE: The banking industry doesn't have any oversight over retailers. The card networks, Visa and MasterCard, do have some rules in place that are designed to ensure the safety and soundness of the payment system, but financial systems do not have that oversight. And of course, there are always creative ways that are being tested to infiltrate the systems. And then when the networks do go in to evaluate retailer systems, they could very well get a passing grade at that particular time.
KITTEN: What steps is the ICBA taking to help ensure more collaboration with retailers?
WARE: There are a number of forums already in place for collaboration. The networks have various committees and advisory groups that include retailers, financial institutions of all sizes and charters, and retailers, and they come up with a strategy for ensuring the safety and soundness of the payment card networks. There are other standards organizations as well that work on specific aspects of securing the payment card networks, and that includes PCI. You have some market-controlled forums in place, and we think that those certainly can be used to further strengthen the payment card system.
KITTEN: Are there any final thoughts you'd like to share with our audience?
WARE: I would like to reiterate that the protection of consumer confidential information is the responsibility of all parties who use or store the information, and therefore all need to work together to make sure that the weakest link is shored-up. No specific technology is going to be a panacea in terms of resolving security or responding to data breaches, because the crooks are constantly working on schemes that will compromise new technologies. So the industry - and when I say the industry I mean all stakeholders, retailers large and small, financial institutions large and small - must continue to work to come up with creative technology solutions to ensure the integrity of the payment system.