May 01, 2006

Most banks are expecting healthy growth over the next few years on the strength of their retail banking operations, according to a study by Accenture (Chicago). But are banks focusing enough on the issue of data security?

Nearly 80 percent of the more than 100 retail bank executives in the United States, Europe and Asia Pacific surveyed by Accenture between April and July 2005 said they believe strengthening their cross-selling capabilities is a key element to support growth in their retail banking businesses. But nowhere does the survey mention efforts by the banks to better secure the information they collect from the new clients they hope to attract. And the lack of a comprehensive information security strategy could actually hurt banks' profits, experts say.

The Accenture study was fielded prior to the highly publicized security breach this February that has banks worldwide scrambling to protect their retail customers by blocking PIN-based debit transactions and reissuing debit cards. The data breach and expense incurred to reissue cards could have a negative impact on profits, as well as banks' reputations.

Visa (San Francisco) in February acknowledged that a U.S.-based merchant that accepts Visa payments "may have experienced a data security breach resulting in the compromise of Visa card account information." Visa then alerted banks whose customers might be affected. Moves by several banks, including Bank of America (Charlotte, N.C.), Citibank (New York), Washington Mutual (Seattle) and Wells Fargo (San Francisco), to block some PIN-based debit transactions are related to the data breach at the same merchant, a Visa company spokesman acknowledges.

But the lack of information available to the public from the affected banks and Visa is "fanning the flames" of consumers' lack of confidence in cashless transactions, according to Beth Givens, director of the Privacy Rights Clearinghouse, a consumer advocacy group. "We do not recommend that consumers use debit cards," she says. " The problem with debit cards is that your own funds can be compromised," whereas credit card purchases can be appealed before impacting the card user's personal bank account.

Long Arm of the Law

As concerns over the vulnerability of customer data grows, laws are being passed to force banks to promptly report data breaches. More than 20 states have adopted data breach notification legislation to protect consumers from companies reluctant to reveal their inability to protect sensitive data.

"Companies viewed fraud loss as a customer service in absorbing the loss without notifying the customers," says Dana Mitchell, legislative director for California Assemblywoman Cindy Montanez. Mitchell, who in 2003 helped draft the groundbreaking California Security Breach Notification Act, adds, "The most important aspect of writing the law was changing the corporate culture regarding how they viewed breaches and fraud loss."

Visa advises all companies that handle payment card information to adhere to the Payment Card Industry (PCI) data security standard, which defines how cardholder data should be managed to keep it secure, as well as forbids retailers from storing PINs online. PCI standards also require an information security policy, as well as annual security audits.

Courtesy of InformationWeek, a CMP Media publication.

Information Security