News & Commentary

11:08 AM
Jonathan Camhi
Jonathan Camhi
Commentary
Connect Directly
Facebook
Twitter
Google+
RSS
E-Mail
50%
50%

Banks and Retailers Face Off Over Target Breach and EMV Adoption

Retailer and bank associations traded allegations yesterday over who is at fault for recent security breaches at major retailers.

Matthew Shay, the president and CEO of the National Retail Federation, accused banks of being responsible for the recent data breaches at Target, Neiman Marcus and other retailers in a letter sent to Congressional leaders yesterday. Shay claimed that banks had been delaying the migration to EMV chip-and-PIN cards while issuing less secure magnetic stripe cards, leaving customers’ card data vulnerable to hackers.

For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next generation “PIN and Chip” card technlogy for customers in Europe and dozens of other markets.

This assertion didn’t go over so well with banks. The ICBA retaliated yesterday in a public statement, alleging negligence on the part of several retailers that have suffered data breaches in recent years.

Nearly every retailer security breach in recent memory has revealed some violation of industry security agreements. In some cases, retailers haven’t even had technology in place to alert them to the breach intrusion, and third parties, like banks, have had to notify the retailers that their information has been compromised.

The ICBA statement goes on to note, rightly, that chip-and-PIN cards wouldn’t have prevented the breach last month that exposed the cardholder data of more than 70 million customers over 19 days. Chip-and PIN help protect against card-present fraud like skimming, but do nothing against card-not-present crimes like the malware attack against Target, Julie Conroy, a senior analyst at Aite Group, said in a PaymentSource story published earlier this week regarding the attacks. Target could have adopted tokenization for its online transactions to prevent the attack, Conroy added.

For More on the Target Breach, Check Out:[ Will Target Data Breach Speed EMV Adoption in US?]

The ICBA urged Congress in its statement to “ensure that parties that suffer a data breach are required to bear for fraud losses and restitution to affected parties.” It also asked for a national standard on data security breaches to replace the differing state laws that are in place.

In addition to calling for the faster adoption of EMV, the National Retail Federation’s letter to Congress also asked for a national standard for breach notification and the passage of a Federal cyber security law.

Even though the retailer association may be throwing up some smoke and mirrors by focusing on EMV as the answer, both sides have sensible recommendations for better consumer fraud protection. It’s just a question of who is going to step up and pay for the necessary upgrades and changes. The NRF’s letter asked banks to “lead” the adoption of chip-and-PIN in the U.S. The issue around EMV has always been the cost, which nobody wants to shoulder. And that doesn’t excuse the retailers from better securing their own payments infrastructure through online tokenization, better systems monitoring and other options that are available without EMV.

In an earnings call last week JP Morgan CEO Jamie Dimon responded to a question about the Target breach by saying that it could “be a chance for retailers and banks to for once work together as opposed to sue to each other like we’ve been doing.” Looks like the opportunity is being squandered.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Byurcan
50%
50%
Byurcan,
User Rank: Author
1/27/2014 | 1:21:31 PM
re: Banks and Retailers Face Off Over Target Breach and EMV Adoption
Yes, the different parties (Retailers, Banks, etc.) really need to stop bickering and work together. It doesn't matter whose fault it was, what matters is protecting customer's data. Though in this case, it does appear the NRF fired off this statement to try and save a little face for Target, Neiman Marcus.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
1/27/2014 | 1:06:24 PM
re: Banks and Retailers Face Off Over Target Breach and EMV Adoption
Banks, payments providers and retailers better be careful when it comes to preventing fraud. If a few more of these Target-like breaches happen and the public starts to question security procedures, you know that Congress is going to try and "do something." Unfortunately, whatever Congress does probably won't really help solve anything. So the entire industry needs to get ahead of this, quickly, unless they all want to spend a lot of time and $$$ complying with regulatory red tape (on top of what they are doing already).
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
1/24/2014 | 7:58:24 PM
re: Banks and Retailers Face Off Over Target Breach and EMV Adoption
If you think about it, for a long time the discussion about cooperation was around banks working together to help defend against fraud. Now that is starting to happen some after the DDoS attacks last year. But this shows that it's more than just banks working together. It's the whole payments ecosystem.
BankTechAsia
50%
50%
BankTechAsia,
User Rank: Apprentice
1/24/2014 | 2:13:39 AM
re: Banks and Retailers Face Off Over Target Breach and EMV Adoption
It's like the retailers are saying "Here's the buck, take it. I'm passing it to you" and the bankers saying in return "No, no. I Insist, you keep it."
KBurger
50%
50%
KBurger,
User Rank: Strategist
1/23/2014 | 7:05:32 PM
re: Banks and Retailers Face Off Over Target Breach and EMV Adoption
And in the meantime while this catfight is going on, who pays the price? The consumer, of course. Your comment at the end (and Jamie D's quote) really capture this whole sorry situation. Everyone who talks intelligently about security and the new breed of threats/crimes says more cooperation is needed -- among banks, between banks & retailers, etc. -- to identify, halt & apprehend plots/criminals. But it doesn't look like this is happening, and in the meantime the crooks are getting smarter & more organized.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology - August 2014
Modern core systems are emerging as the foundations of effective channel integration and customer engagement initiatives.
Slideshows
Video