Disagreements over who should shoulder responsibility for data security have become de rigueur after every major breach over the past few years. The same questions and concerns voiced after the Target breach were also aired after a major breach at TJX more than five years ago.
Retailers continue to insist they are doing all they can to keep customer data secure, while banks have claim they must bear too much of the costs of retail security breaches. Efforts to close the gap have see little real progress over the past several years.
Retailers, especially big ones, must focus most of their information security efforts on compliance with the Payment Card Industry Data Security Standard, a set of security requirements mandated by Visa, MasterCard, American Express and other credit card associations.
The PCI standards aim to get retailers to adopt best practices for protecting credit and debit card data. Over the years, compliance with the standard has become the security end goal for many retailers. Target and other top retailers have spent tens of millions of dollars on ensuring PCI compliance over the past few years.
The payback on these investments have to date been somewhat mixed.
Retailers continue to remain huge targets for data thieves. The Target breach alone resulted in the compromise of more than 40 million credit and debit cards and the exposure of personal data from some 70 million more people. At least three other retailers, including Neiman Marcus, were recently compromised in similar fashion.
Data breaches in recent years have forced retailers to pay tens and even hundreds of millions of dollars in remediation, legal and other costs.
Still, the payment card industry does not have so much as an information sharing and analysis center for disseminating malware and threat-related data like almost every other major sector does.
Several PCI-compliant companies have suffered breaches, raising questions about the effectiveness of the standards, which critics say has failed to keep up with fast evolving security threats.
Gartner analyst Avivah Litan noted in a blog post this week that nothing in the PCI standard would have helped Target detect the malware used to attack its point-of-sale system network.
Other efforts to improve payments systems security, such as end-to-end encryption and tokenization of payment card data, have also had limited success because of relatively low adoption levels. Retailers who have adopted such measures sometimes claim they are forced to decrypt data before sending it to their bank.
Banks have also continued to drag their feet on chip and PIN technology.
Organizations like CUNA have been quick to note that updated technology, also known as Europay MasterCard Visa (EMV) smartcard, would likely have done little to stop the Target incident.