The massive security breaches that compromised credit and debit card data for millions of holiday shoppers across the U.S. last year prompted a push for improving payment systems and tightening regulations.
Among those advocating for action is the Michigan Credit Union League, the trade association for credit unions in the state that’s urging federal regulators to step up scrutiny of retailers’ security practices. In an age when a majority of retail transactions are now conducted electronically, the MCUL wants the federal Consumer Financial Protection Bureau to supervise how retailers guard customer data and investigate data breaches.
“We think retailers should have skin in the game, and they ought to be responsible and have a vested interest in protecting customers’ information,” said Ken Ross, the former top financial regulator for the state of Michigan who’s now chief operating officer at the MCUL.
Banks and credit unions operate under “very stringent” federal requirements to protect sensitive customer financial information. The data breach at retailer Target “has exposed that we have kind of an ecosystem that exists in the payments world” that isn’t subject to very strict requirements, Ross said.
“The Target breach is really an example of how one piece of the puzzle, if it doesn’t fit quite well, can really cause some serious downstream implications,” he said. “(Retailers) should make (security) a priority just as much as financial institutions make it in their day-to-day business.”
The trade association argues that the Consumer Financial Protection Bureau, formed in 2010 under the federal Dodd-Frank Act that Congress passed in the wake of the 2008 financial crisis, already has the legal authority to investigate security breaches at retailers, particularly those that own branded credit cards.
In a February letter to the federal regulatory panel, MCUL Chief Executive Officer Dave Adams argued that the security breaches at Target, Neiman Marcus and others “serve to shed further light on the problem that retailers are not implementing proper security protocols and care to protect the sensitive personal and financial information that they obtain from their consumers.”
The league wants federal regulators to supervise retailers that “pointedly fail to take proper steps to protect consumers and their private information in the course of offering and providing consumer financial services,” Adams’ letter states. “Consumers would certainly benefit from the regulation of a retail industry that, at the moment, relies on largely self-policing standards that are inadequate to the point of consumer deception.”
The MCUL estimates that the Target security breach alone cost credit unions in the U.S. $30 million, and $1.6 million in Michigan, to assist affected customers and replace breached cards.
“When a breach occurs – unfortunately, under the current environment – depository institutions, including credit unions, end up paying for their mistakes,” Ross said.
In the aftermath of the holiday data breaches, the National Retail Federation has urged an overhaul of the system for handling electronic payment for retailers. The Washington, D.C.-based Retail Federation most recently testified before a March 26 Senate committee hearing on cyber attacks that it has long advocated for transitioning to debit and credit cards that require a personal identification number.
Cards that use a magnetic strip carrying sensitive customer data and require a signature are too easily replicated, Retail Federation General Counsel Mallory Duncan said before the Senate Committee on Commerce, Science and Transportation.
“The bottom line is that cards are poorly designed and fraud-prone products that the system has allowed to continue to proliferate,” Duncan said. “Protecting all cards with a PIN instead of a signature is the single most important fraud protection step that can be taken quickly. It’s proven, it’s effective and it’s relatively easily implementable.”
Duncan also noted that more data breaches (37 percent) occurred at financial institutions than at retailers and restaurants (24 percent), according to the 2013 Verizon Data Breach Investigations Report.
“And there are hundreds of times as many merchants that are potential targets of criminals in this area,” she said.
Financial institutions and credit card companies have perpetuated the present system, Duncan said. Merchants and consumers “have virtually no role in designing the payment system” and “must work with the system that is delivered to them.”
“We have every reason to want to see fraud reduced, but we have only a portion of the system of the ability to make that happen,” Duncan said. “We did not design the system. We did not configure the cards. We do not issue the cards. We will work to effectively upgrade the system, but we cannot do it alone.”
The MCUL’s Ross agrees that financial institutions and retailers need to come together with credit card companies and agree on upgrades to the payment system, although retailers still need to invest more in security, whether on their own or because of regulatory or legislative action.
“At the end of the day, none of us can live in a silo here. We’re all in an ecosystem where we are all providing value for our members and consumers who want to take advantage of a well–functioning payment system that wants to protect their information,” Ross said. “It’s not to anyone’s benefit to have a weak link in the chain.”