Let's start with this comment: "The ABA has its head in the sand; instead of advocating for change, they simply blame others."
See Also: DevOps - Security's Big Opportunity
So says the outspoken information security expert and management consultant William Hugh Murray, responding to the American Bankers Association largely blaming retail breaches for the 12 percent uptick in financial fraud losses U.S. banks have had to absorb since 2012.
"The ABA has its head in the sand; instead of advocating for change, they simply blame others."
I first detailed the recent release of the ABA's 2014 Bank Deposit Account Fraud Survey Report in a Jan. 29 blog post (see ABA: Fraud Losses Are Up - But Don't Blame Banks). My blog immediately sparked a lively debate, to put it mildly, from well-versed readers on all sides of the issue. (You can read their full comments at the end of that blog.) And the finger-pointing is further evidence that the battle between banking institutions and retailers when it comes to cybersecurity responsibility, and the limits of "acceptable" fraud liability, remains alive and well.
To recap, Doug Johnson, the ABA's senior vice president of payments and cybersecurity policy, sums up the report's major finding thusly (emphasis is mine): "We saw an increase in fraud losses in 2014, most likely due to the number of large-scale retailer data breaches, which resulted in a significant increase in attempted debit card fraud"
In Johnson's telling, banks held the line. "Banks' sophisticated fraud-prevention systems and customer vigilance successfully stopped 85 percent of fraud attempts in 2014," he said, noting that losses linked to online banking and wire and ACH transactions accounted for only 2 percent of the banking industry's overall fraud loss.
Debit Card Fraud: Retailers to Blame?
Knowing the ABA's report would spark strong opinions, I specifically asked readers for their reactions. Here's just a sampling of what I received, starting with the remarks from the aforementioned Mr. Murray, who accuses the ABA of trying to deflect blame. In particular, he says the big problem is that banks have failed to implement mobile payment systems that offer relatively strong authentication.
"A great deal of the money the banks are spending, they spend to beat up on the merchants," Murray says. "While they collect massive fees from the merchants, they do not see them as customers. Rather, they see them as junior partners whose role it is to help them make high interest loans to consumers. While their sales pitch to the merchants includes security ... having collected the fees from the retail chains, they want to transfer the cost of fraud back to them. They seem surprised that some chains are ready to opt out of the bank-owned card system in favor a merchant-owned system like CurrentC. 'After all the banks have done for them?' No. After all the banks have done to them."
Support for ABA
Many observers, however, do share the ABA's view. "While I work in the [credit union] space, in this instance, I would have to agree ... Banks AND credit unions are investing millions of dollars in fraud and security systems (hardware/software), staffing, procedures, controls, audits, training, external reviews, exams, third party providers, vendor due diligence in this area, etc.," says a reader using the handle Fraud Stopper. "The [financial institutions], by and large, know that the ONE single most important attribute they need to provide is a safe and secure (including physical and data) member experience."
But Fraud Stopper thinks retailers aren't doing enough to stop fraud. "Retailers, [through] their massive lobby do not have the technical resources and the regulatory pressures to majorly change to the new realities we face, and, secondly, are really held accountable to no one (OK, sans PCI). But, seriously, [do we] want retailers to stop the breach overnight? The federal [government] just needs to mandate that ANY entity that participates in card acceptance above a certain dollar limit go [through] a comprehensive third-party audit that is reviewed by an 'accrediting' body. If the audit is horrible, the retailer has X number of days to comply or is shut down on cards. Trust me, things would change."
Both Sides: Room for Improvement?
Others, however, think both sides could be doing more. "If most of the fraud losses are due to large scale retailer data breaches, that seems to indicate that the problem lies with the use of static data elements for enabling debit transactions, such as debit card numbers," says Bob P. "Seems like the solution is for the banks and retailers to increase the use of chip-based debit cards that implement tokenization, so that breached information can't enable fraudulent transactions."
But another reader notes that banking institutions and major payment card brands, including Visa and MasterCard, should do more to help merchants shore up their security. "My experience as a consultant working with small merchants is that banks and card issuers are far too lenient (simply fining them) on merchants who continue to ignore PCI-DSS," says Dale H. "Most of these small merchants appear to be unconcerned about implementing PCI standards or the associated fraud that could happen as a result. Until the banks get serious about pressing these merchants to clean up their act, the merchant will maintain this posture of ignorance of PCI standards. It needs to start with the banks. Simply passing this off as a retailer problem is not the answer."
The debate over culpability for the increase in debit card mirrors a disagreement I detailed nearly a year ago, centering on retailers' reluctance to adopt EMV (see Readers: Merchant Security Too Lax).
Comparing then to now, it would be easy to conclude that banks and retailers have made scant information security progress either separately or together. But in fact, based on the many recent conversations I've had with representatives from the merchant sector, it's clear that they are taking fraud seriously and attempting to work more closely with banks and credit unions.
Still, retailers continue to have valid issues about the investments they're required to make to comply with security mandates such as PCI DSS or implementing EMV. Many retailers also perceive these requirements as having minimal breach prevention impact (see Is EMV Bad News to Small Businesses?). The formation of the Retail Cyber Intelligence Sharing Center might help bridge the gap between bankers and retailers, and facilitate more cross-industry agreement about payment security, but that remains to be seen (see Are Retailers Improving Cybersecurity?).
For now, judging by the volume and emotion of the current debate over fraud losses and who's responsible, we still have a very long way to go.
Even so, please do continue to weigh in below. I welcome your diverse points of view and the opportunity for us to expand this discussion.