In the past few years, many battles have raged, pitting banking interests against the retail industry. Most of these skirmishes have dealt with how to split the interchange fees assessed on transactions at retail establishments that use debit or credit cards as payment vehicles. Recently, related issues have raised their ugly heads, as Target acknowledged that it had suffered a breach in its software that potentially compromised 40 million cardholders and the personal information of 70 million individuals. Shortly following this admission, Neiman Marcus disclosed a similar breach, though it did not affect as many cardholders. Much to the dismay of bankers, these retailers and their industry representatives have tried to lay blame on the banking industry for not having migrated quickly enough to EMV* standards, which embed a small microchip in the plastic card. Perhaps this is a fair argument. In the Target breach, however, the criminals entered through Target’s software, not through any debit or credit card. Thus no amount of card security would have prevented the breach.
To make matters worse, when a breach occurs, regardless of who is responsible, it is the bank which covers fraudulent transactions and has to suffer the expense of replacing cards, if necessary. According to a survey by the Independent Community Bankers of America, community banks have had to replace 4 million cards at a cost of $40 million as a result of recent breaches. Bankers have a hard time understanding why they bear this responsibility. Since an examination of the data can easily determine whose system failed, why not investigate and make the party at fault pay? Since 2005, according to the Identity Theft Resource Center, there have been 4,200 breaches of data. Of those breaches, healthcare had 43 percent; business, including retail, had 34 percent; government, military and education had 19 percent; and banking had 4 percent. Further, there are no standards for what should be done to combat breaches except in the banking sector, under the Gramm-Leach-Bliley Act Financial Privacy Rule, Safeguards Rule and Red Flag Rule. Additionally banks are subject to Regulation E, Regulation Z and other network rules. Perhaps these rules, with which banks must comply, are the reason banks have such a low breach percentage.
Fortunately the banking interests and the retail industry have agreed to come together through a joint cyberspace partnership to discuss how to deal with this problem collectively. Both sides will bring their biases and opinions to the table. It is hoped that fair resolution will be forthcoming. Following these recent breaches, Congress has taken strong interest in finding solutions to some of these problems. The costs are very real for all involved. Consumers whose identities are stolen can spend months, if not years, getting their records corrected. Retailers face a loss of confidence from their customer base that can cost millions of dollars in lost sales. And banks pick up the tab for fraud and card replacement.
Criminals are the only winners … until they get caught. That’s why this new working group is so important. It is committed to information-sharing, innovative technologies and forging partnerships to collaborate on finding solutions. Criminals are the enemies of all of the stakeholders, and we want to stop them before they start.
*Smart-card payment technology, a.k.a. EMV (Europay, MasterCard and Visa)
S. Joe DeHaven, 02/26/14