Retailers and banks engage in blame game over data breaches
In a press release issued yesterday, the Independent Community Bankers of America (ICBA) expressed "shock and outrage" over a letter sent Tuesday by the National Retail Federation (NRF) to Senate Majority Leader Harry Reid and House Speaker John Boehner, it felt placed blame on bankers for the recent data breaches at Target and Neiman Marcus.
Matthew Shay, president and CEO of NRF, wrote, "When it comes to the most criminally lucrative data—sensitive bank card information—our partners in the financial sector have a critical role to play in making sure their cards are secure. For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next generation ‘PIN and Chip’ card technology for customers in Europe and dozens of other markets."
Camden Fine, president and CEO of ICBA, put the blame back on retailers and their processors.
"Nearly every retailer security breach in recent memory has revealed some violation of industry security agreements. In some cases, retailers haven’t even had technology in place to alert them to the breach intrusion, and third parties, like banks, have had to notify the retailers that their information has been compromised," Mr. Fine said in a statement. "Further, even card security controls such as chip and PIN technology would not have prevented the breach of personal information of more than 70 million U.S. consumers. Retailers must step up to the responsibility that comes with handling personal information of consumers."
Discussion Questions
Is there one party more to blame than another in the recent data breaches discovered at Target and elsewhere? Is Pin and Chip technology the answer to this data security issue?
Not being an insider into transaction processing, I can only go with my gut and personal experience in thinking that this is more of a retail than banking issue. I tend to believe Camden Fine is correct in stating “Nearly every retailer security breach in recent memory has revealed some violation of industry security agreements.” For example, back in the day, cashiers used to check signatures on cards with what was signed by a shopper. Now there’s no scrutiny at all. It seems that in order to speed up and make the check-out experience more comfortable, retailers have gotten more lax.
In the end though, it will be a rare consumer that calls up their bank and yells at them for say Target’s data breach situation. So only retailers can protect their relationship with consumers by managing transaction security, no matter who’s involved in the process.
This is one where I think everyone owns a bit of blame. The banks REQUIRE their data transmissions be unencrypted. That’s a problem and it’s up to retailers to do it on their own.
Retailers have not yet come together around security the way other industries have. That continues to surprise me. The industry has certainly rallied around Organized Retail Crime.
As for Chip-and-Pin (I had never heard it described as Pin-and-Chip until I saw Matt Shay’s letter), all the information I read tells me that without point to point encryption or tokenization, it’s no more secure than mag stripes. This is not my area of expertise, so I am relying on others. But that’s what they say.
If you read the deepest documents on the breaches, you start to wonder if the problem doesn’t come back to the operating systems used to drive POS – i.e. Windows. And the data was removed using other Microsoft product weaknesses. But that’s also a pointless debate.
Personally, I’d prefer that everyone stop blaming each other and come together to fix the problem. It’s not going to get any better and there is no magic bullet. It’s an ongoing thing. Let’s get on with it.
Customers only know where it happened, they don’t see banks as the culprits, much like they didn’t see it as UPS who didn’t deliver their Christmas presents — it was Nordstrom, Amazon, etc.
Regardless who it is, data breaches will be the big story of 2014 and it looks like several retailers are still to report their own from the holidays.
It should be apparent now the Target data breach will not blow over as debated in a previous discussion. I also predicted retail financial security will be the #1 agenda in 2014.
Magnetic cards are being made the scapegoat and if I was a Wall Street person, I would be looking a lot closer at mobile commerce startups this year.
The problem with chip and pin is the mixed messages about the data breach. If a 17-year old kid wrote a malware script to infiltrate Target (which I do not believe for one second) then chip and pin cannot protect internal networks. I have maintained Target and Neiman Marcus POS hardware devices were most likely compromised and replacing magnetic strip POS with chip and pin is the immediate solution.
Also banks appear to shun NFC and mobile payments and are just re-issuing new cards instead of getting to the root of the problem. This is going to be an interesting 2014 year in retail.
There’s plenty of blame to go around, and hurling accusations at business partners isn’t the way to address this issue.
Three things should happen:
Breaches are no longer aberrations. It’s time to get organized.
I agree with those who say pointing fingers is not acceptable. Developing and implementing programs that prevent breaches is what retailers and bankers should focus on. There have been enough examples of hackers breaking into confidential files for consumers to be aware that this happens. Once there is publicity about preventive action taken by any one or more retailers, shoppers will take note and take their own action. Whining and blaming is not a strategy.
I have no idea which party is more to blame. However, focusing discussion on who to blame does nothing to restore consumers’ confidence in the retailers or the banks. The system of securing data and increasing confidence in the use of credit cards is the critical issue for increasing consumer confidence.
Yes — hackers.
No, Pin and Chip may help, but the fact is that e-commerce has just made it easier for thieves to steal because it concentrates access to wealth.
You can try but you are never going to build a hack-proof system.
Great comments and advice already on this crucial topic.
Consumers don’t care how this problem gets fixed, they expect it to be taken care of – period. The future growth of the revenue stream of retailers, banks, and emerging payment industry players is dependent on getting this solved.
It becomes an issue of trust for consumers which retailers rely upon to drive loyalty and engagement. It will take all parties to understand that investments need to be made, to redefine how the various parties work together to deliver on explicit and implicit promises made to consumers. This topic will remain one of the leading headlines in 2014.
Do keep in mind that even military grade systems are vulnerable to a persistent, dedicated and motivated hacker; There’s no bullet-proof answer. But just because it can be cracked, doesn’t mean that we hang the “come on in” sign and leave the door open a crack for this type of malicious conduct that undermines consumer’s trust.
You need to open your eyes just a little wider to see the not so invisible person in this discussion. Our 21st century inquisition has conspicuously left out the Information Technology (IT) market sector in this one.
Retailers and bankers simply wish to rid themselves of cashiers, tellers and back office people to increase profits. They will listen to any viable offer that holds within the limits of acceptable company risk to reduce wages for the sake of the company. So if an IT company demonstrates a solution tested and rated on a hard wire direct connect platform what’s the worry? There is none until the software, by any other name if felt necessary, migrates to a wireless router solution without complete compensation for security issues built in to it.
The banks and retailers, in their hunger for expanding efficiency and profit, forgot to look to their own security needs and the needs of their clients. Needless to say, the IT market is sitting back saying how they only sold the materials and never tested or intended it for this use.
So who is the loser in this exchange? Everyone, as in the consumer or rather all of us. What is needed as a result of this episode is for finance institutions as well as businesses to create, support and continuously update a set of purchasing standards for IT systems without government intervention. If the government gets in, so do special interests and that may very well be the end for all that is intended.
The standards must focus on internal company system security, business continuity, inter-company and corporate communications and disaster recovery. You will hear a lot of innuendo and relative ownership of responsibilities designed to negate this need, but the simple truth is that for the sake of process efficiencies and profit the public stands at high risk of being compromised with no end in sight.
The one probable concern is the added time for market and company entrance as well as the costs incurred. This concern is short sighted to the needs of consumers and their credit ratings and savings.
The issue is not who is to blame. We are working with 20th century technology and living in the 21st century. This technology has proven itself to be breachable time after time, and yet we keep pointing fingers, propping it up and not focusing on new technology. And folks, I don’t mean pin and chip.
Let’s get some heads down and rethink payment transacting. No mag stripe, no chip. At no point in the process should all the crucial data be in the same place. Maybe we can start with the PayPal model? hmmm…
It takes two to tango. Credit/debit cards and retail make a great paring. But they have to work together, and share costs (they can figure out how to split that share), on the issuing and processing of payment systems that consumers have increasingly chosen to make use of over the past 40+ years.
The financial industry can issue a magnetic tape card for a nickel. If they issue ones with embedded codes to protect all concerned, it will cost them about $1.15 each. This will represent billions of dollars in expense. Retailers will have billions of dollars in expense in putting in new processing platforms within their stores and back offices.
To both parties: Stop with the fighting and pointing the finger. Get down to business, and work out the plans. The end consumer has chosen the payment plan that they want. And, either out of necessity or convenience, the consumer is not carrying around a wad of cash anymore.
I have friends who are traders or travelers who carry around a thousand bucks or more. However, the reality is the average consumer has less than 50 bucks in their wallet/purse. If the right confidence levels are held in terms of protection of privacy and financial risk, the consumer is going to make use of a card.
The Prosper Monthly Consumer Survey asks consumers how they pay for goods in 14 different retail categories. Beauty Care & Cosmetics and Dining Out are the highest categories that make use of Cash or Check, 36.2% and 35.1% respectively. The balance of payment methods are Cards. No other category exceeds 30%.
There is shared responsibility here and both sides knew this day would come. Richard Sanders, formerly with Visa and now ACI Worldwide, stated to a group at CardTechSecureTech in 2005 that the US would adopt the EMV standard only when it had to. He also noted that the US would be the last of developed markets to do so. Protecting consumer data requires investment and both banks and retailers have deferred the investment. Now is the time to embrace the challenge.
I am new to this world, but I have been following all these discussion very closely. I personally feel “which party is more to blame?” is not the right question to ask. The question should be “what should be the next step now?” Focus should be placed on how to gain customers’ confidence in the retailers back because at the end of the day, it’s all about customers.