OCC: Retailers Accountable for BreachesCurry Says Merchants' Security Needs Improvement
Comptroller of the Currency Thomas Curry says "it's only fair" that merchants should be responsible for some of the expenses that result when their systems are breached.
"These recent [retail breach] incidents highlight the need for improved cybersecurity," Curry said during a recent speech at a community bankers' forum in Chicago. "But they also demonstrate why we need to level the playing field between financial institutions and merchants.
"The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions," Curry added. "And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result."
Some security experts say Curry's statements could signal a potential recommendation from banking regulators that either they or Congress should get more involved in making sure retailers' cybersecurity practices are monitored.
Curry noted that banking institutions are usually "on the hook" for reimbursing cardholders for the losses they suffer from fraudulent charges and transactions after credit and debit cards are breached. That responsibility, he said, falls onto the shoulders of banks and credit unions, even though they have no control over the security practices of the retailers that were the sites of breaches.
Banking institutions also must replace compromised cards and monitor account activity for potential fraud, he pointed out. "That's not easy for any bank, but it's a burden that falls especially heavily upon community institutions," Curry said. "At a cost of $5 or more per card [for reissuance] and covering the related fraud charges, the costs can run up very quickly."
Holding Retailers Accountable
Curry's comments seem to support the views already expressed by the National Association of Federal Credit Unions, which has called for legislation that would regulate merchant point-of-sale security (see Card Breaches: Retailers Doing Enough?).
NAFCU, since the summer of 2013, has been asking Congress to pass legislation, similar to the Graham-Leach-Bliley Act, that would hold breached retailers and processors accountable for lax security practices (see Hold Merchants Accountable for Breaches?).
The GLBA, also known as the Financial Services Modernization Act of 1999, includes a wide range of requirements for protecting consumer data and breach notification to which banking institutions must adhere. Banks and credit unions that do not comply with GLBA data protection requirements face civil and criminal penalties, including fines of up to $10,000 per violation.
NAFCU has argued retailers should be held to a similar standard and face similar penalties.
But retail groups, including the Retail Industry Leaders Association, contend that merchants already compensate banks and credit unions for fraud losses and recovery expenses associated with breaches through the fees they pay to the card brands. RILA and other merchant groups also say retailers are continually investing in payments security technology as well as compliance with the Payment Card Industry Data Security Standard.
Analyzing Curry's Comments
Curry's recent statements demonstrate that banking regulators believe merchants' current security practices are insufficient, says Tom Kellermann, chief cybersecurity officer at the security and forensics firm Trend Micro.
"Thomas Curry is throwing down the gauntlet," Kellermann says. "I firmly believe that the banking regulators must get behind this movement. The weak link in the financial supply chain has become the retailers."
If retailers were required, as banking institutions are, to have segregated networks and deploy application security and breach-detection systems, it's unlikely merchants would have suffered so many breaches over the last 18 months, he contends. The legislative action proposed by NAFCU would be a positive cybersecurity step, he adds.
All retailers are required to comply with PCI-DSS, but that standard set only minimum requirements, according to the PCI Security Standards Council. Network segmentation, for instance, is not a PCI-DSS requirement, although the PCI Council strongly recommends it.
"Pointed comments related to cyber-risks from Thomas Curry often precede official actions from federal banking regulators," says Al Pascual, director of fraud and security at Javelin Strategy & Research. "But I question what form of action they could take that would have a measurable effect on how merchants, who are outside their purview, secure data."
Pascual speculates that the OCC, as the leading agency of the Federal Financial Institutions Examination Council, could sway banking regulators to pursue a more active role in retail security oversight.
He argues that scrutinizing the steps retailers take to protect consumer cardholder data might be an ideal fit for the Consumer Financial Protection Bureau, which was established in 2010 and became one of the FFIEC's regulatory agencies in July 2011 (see CFPB: What is New Regulator's Role?). "This might be a place where the CFPB could play a role," Pascual says.
The CFPB oversees depository institutions with more than $10 billion in assets. But it also has authority over non-banking entities, such as mortgage companies, payday lenders and private education lenders.
The CFPB's actions and supervision relate only to accountability and oversight for the consumer financial marketplace. CFPB Director Richard Cordray said in a 2013 presentation that the CFPB's basic aim is to level the playing field.
"As financial products and services evolved over time, depository institutions found themselves competing more directly against nonbank entities," he said. "One of the purposes of the new agency is thus to level the playing field between banks and nonbanks under the consumer financial laws."