January 23, 2014

Matthew Shay, the president and CEO of the National Retail Federation, accused banks of being responsible for the recent data breaches at Target, Neiman Marcus and other retailers in a letter sent to Congressional leaders yesterday. Shay claimed that banks had been delaying the migration to EMV chip-and-PIN cards while issuing less secure magnetic stripe cards, leaving customers’ card data vulnerable to hackers.

For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next generation “PIN and Chip” card technlogy for customers in Europe and dozens of other markets.

This assertion didn’t go over so well with banks. The ICBA retaliated yesterday in a public statement, alleging negligence on the part of several retailers that have suffered data breaches in recent years.

Nearly every retailer security breach in recent memory has revealed some violation of industry security agreements. In some cases, retailers haven’t even had technology in place to alert them to the breach intrusion, and third parties, like banks, have had to notify the retailers that their information has been compromised.

The ICBA statement goes on to note, rightly, that chip-and-PIN cards wouldn’t have prevented the breach last month that exposed the cardholder data of more than 70 million customers over 19 days. Chip-and PIN help protect against card-present fraud like skimming, but do nothing against card-not-present crimes like the malware attack against Target, Julie Conroy, a senior analyst at Aite Group, said in a PaymentSource story published earlier this week regarding the attacks. Target could have adopted tokenization for its online transactions to prevent the attack, Conroy added.

For More on the Target Breach, Check Out:[ Will Target Data Breach Speed EMV Adoption in US?]

The ICBA urged Congress in its statement to “ensure that parties that suffer a data breach are required to bear for fraud losses and restitution to affected parties.” It also asked for a national standard on data security breaches to replace the differing state laws that are in place.

In addition to calling for the faster adoption of EMV, the National Retail Federation’s letter to Congress also asked for a national standard for breach notification and the passage of a Federal cyber security law.

Even though the retailer association may be throwing up some smoke and mirrors by focusing on EMV as the answer, both sides have sensible recommendations for better consumer fraud protection. It’s just a question of who is going to step up and pay for the necessary upgrades and changes. The NRF’s letter asked banks to “lead” the adoption of chip-and-PIN in the U.S. The issue around EMV has always been the cost, which nobody wants to shoulder. And that doesn’t excuse the retailers from better securing their own payments infrastructure through online tokenization, better systems monitoring and other options that are available without EMV.

In an earnings call last week JP Morgan CEO Jamie Dimon responded to a question about the Target breach by saying that it could “be a chance for retailers and banks to for once work together as opposed to sue to each other like we’ve been doing.” Looks like the opportunity is being squandered.

ABOUT THE AUTHOR
Jonathan Camhi is a graduate of the City University of New York's Graduate School of Journalism, where he focused on international reporting and interned at the Hindustan Times in Delhi, ...