Retailers and banks must move quickly to figure out who should be responsible for better securing the payments system network or risk having Congress decide for them.
In the weeks since a massive data breach at retailer Target, banks and retail industry groups have been ferociously blaming each other for not doing enough to prevent such hack attacks. The latest debate continues a longstanding feud that has stalled progress on efforts to improve credit and debit card security.
Both sides need a change in attutude.
The American Bankers Association (ABA), Credit Union National Association (CUNA), the National Association of Federal Credit Unions (NAFCU) and others have renewed calls for regulations that would require retailers to implement stronger data security controls.
"When a retailer like Target speaks of its customers having 'zero liability' from fraudulent transactions, it is because our nation's banks are providing that relief, not the retailer that suffered the breach," ABA president Frank Keating said in a letter to Congress earlier this month.
In an opinion piece posted on AmericanBanker.com, last week, NAFCU CEO Dan Berger chided retailers for downplaying their role in safeguarding sensitive customer data.
The Gramm-Leach Bliley Act for years has required that banks and credit unions implement strong data security controls, he noted, and now it's time to implement similar rules for retailers. "If retailers want to reap the rewards of consumer sales, they should also take an active role in protecting their data," Berger said.
According to CUNA, credit unions to date have so far spent more than $30 million to recall and reissue credit and debit cards impacted in the Target breach. When fraud related costs are factored in, credit unions could end up paying a much higher price for Target's folly, according to the association.
"Contrary to what some may think, these expenses will not be reimbursed to credit unions and their members by Target or other retailers," CUNA President and CEO Bill Cheney said in a statement "Rather, credit unions must solely cover these costs of their card program administration, including in these circumstances of reacting to a merchant data breach."
Meanwhile, the influential National Retail Federation (NRF) deftly responded by placing the blame for breaches on card technology used by banks and credit unions around the U.S.
"For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN and Chip card technology for customers in Europe and dozens of other markets," NRF President and CEO Matthew Shay said in a letter to two lawmakers this week.
Retailers are ready and willing to make the switch to PIN and Chip cards, but banks have dragged their feet, Shay contended. "The fact remains that retailers cannot do this alone."