Hold Merchants Accountable for Breaches?Banking Group Asks Congress to Take Action
Banking institutions rarely recover the financial losses they suffer after cards are exposed as the result of a retail breach. Losses have increased in the last year as a result of targeted malware attacks specifically designed to capture card data.
Card issuers say they don't hold their breath for much to change, at least not near-term. But the National Association of Federal Credit Unions is asking Congress to step in and hold breached retailers and processors accountable when their lax security practices result in the leakage of card data.
Merchants and processors should be investing in systems and technologies that help them better detect attacks to their own networks, but they have little incentive to do so.
Will Congress take notice of the recommendations? And is the NAFCU the right group to press for legislation? I don't know if the NAFCU on its own has the muscle to push Congress to take notice, but the group's advocacy is commendable.
I'm hopeful other banking organizations, such as the American Bankers Association and the Independent Community Bankers of America, join the cause.
Retail card compromises have for too long been pain points for banks and credit unions that card brands have failed to address. Retailers need to take on more responsibility for the breaches they suffer. Regulatory reform, which calls for more scrutiny of their networks and systems, is a viable solution.
A 5-Point Plan
The NAFCU's Five-Point Plan for Regulatory Relief recommends establishing national standards for the protection of all financial information, including payment card data. It also recommends holding merchants accountable for expenses, such as costs associated with card re-issuance, if card numbers and details are exposed during a breach. It calls for creating uniform federal enforcement standards for data security, which would prevent merchants from storing card and other financial information. And it asks that merchants be required to share their data security policies with customers.
The five-point plan also recommends that the burden of proof after data breaches fall back onto the merchant and/or processor that is attacked, rather than, as is the current practice, relying on card issuers to trace the fraud back to a common point of suspected compromise.
David Carrier, NAFCU's chief economist, says the average annual cost to a credit union after a retail breach involving card numbers is $86,000, based on a recent survey of the association's 800 institution members. Those expenses include the issuance of new cards and covering losses - such as account losses - when fraudulent transactions occur. "That was much higher than expected," he says. "We think merchants need to be held accountable for breaches due to their own negligence. As it is right now, credit unions end up paying."
Complying with the Payment Card Industry Data Security Standard should mean that processing networks and POS devices and systems are not storing or exposing card data. But it doesn't, as recent retail attacks prove.
Retailers' Role for Better Security
Ensuring point-of-sale devices and systems are secure isn't easy. Nick Percoco, senior vice president at security vendor Trustwave, says legacy POS terminals, for example, often inadvertently store data.
"Today we see malware that is much more advanced," he says. "There is a population of merchants in the U.S. that still have point-of-sale systems that are ripe for these types of attacks. Right now, not all merchants are secure."
The PCI Security Standards Council, the card brands and others are pushing merchants to get all of their outdated devices and systems upgraded to avoid these types of security vulnerabilities. But that effort will take time.
And while the PCI-DSS clearly prohibits the storing of card data, it does not require full, point-to-point data encryption.
"PCI does not require encryption of data if it's being transmitted over a private network," Percoco says. "So if you have a merchant with a corporate office and 1,000 locations, and the data is being transmitted to other locations over a VPN, it can be sent in the clear."
Criminals know if they hack a corporate environment, they likely will have access to clear text data, he adds.
And then there's the issue of enforcement. The PCI SSC oversees the PCI-DSS, but it has no authority to enforce compliance. Visa and MasterCard require merchants and processors to attain PCI compliance in order to transact on their networks. But there's no uniformity to PCI audits, nor is there uniformity to how the qualified security assessors who perform the audits carry out their reviews.
And for banking institutions, as issuers, the costs associated with protecting card data after it's exposed are tough to recoup. Tracing card compromises to their source is becoming increasingly difficult as well.
Card issuers have to ensure they detect compromises as quickly as possible to limit their losses. As it is, issuing institutions are typically the first to identify an attack and link it to a breach.
But merchants and processors should be investing in systems and technologies that help them better detect the attacks their networks suffer. The problem is, they have little incentive to do so.
Until retailers and processors are held more accountable for losses and insufficient security practices, not much will change.
Legislation could really make a difference, and the NAFCU deserves praise for its five-point plan. I hope other groups will lend their support to the effort as well.