CONTINUE TO SITE »
or wait 15 seconds

Article

Senate hearings on data breach hint at a long road to remedy

But first, the 'blame storm.'

February 3, 2014 by Suzanne Cluckey — Owner, Suzanne Cluckey Communications

This week, three separate Congressional committees will hear testimony regarding data breaches at Target, Nieman Marcus and Michael's.

The first, a Monday hearing before the Senate Banking, Housing and Urban Affairs Committee, titled, "Safeguarding Consumers' Financial Data," included testimony from several government agencies as well as private sector interests including the American Bankers Association, the National Retail Federation and the PCI Security Standards Council. With each, there was some shifting — or shunning — of blame for what could be the biggest data breach in history.

American Bankers Association

Representing the ABA, James A. Reuter, EVP of Lakewood, Colo.-based FirstBank, decried the inequity of a payments system in which the banking, credit and financial sector accounted for only 2 percent of all breached records in 2013 but bore the lion's share of breach recovery and fraud expenses. He advocated for a number of measures to change the status quo, including:

Raise all participants in the payments system to comparable levels of security.Security within the payments system is currently uneven. In addition to adhering to the Payment Card Industry Data Security Standards, banks and other financial institutions are also subject to significantly higher information security requirements than others that facilitate electronic payments and house bank customer payment data. More must be done to buttress and enforce the current regulatory requirements that merchants face. 

Make those responsible for data breaches responsible for their costs.Banks bear the majority of costs associated with the fraud caused by breaches even though our industry is responsible for only a small percentage of the breaches that have occurred since 2005. When any entity — be it a bank, merchant, college or hospital — is responsible for a breach that compromises customer payment data or personally identifiable information, that entity should be responsible for the range of costs associated with that breach to the extent it was not adhering to the necessary security requirements.

National Federation of Retailers

Citing a different set of statistics, NRF SVP and general counsel Mallory Duncan shifted responsibility back onto the banking system. 

It may be surprising to some given recent media coverage that more data breaches occur at financial institutions than at retailers. And, it should be noted, even these figures obscure the fact that there are far more merchants that are potential targets of criminals in this area. There are hundreds of times as many merchants accepting card payments in the United States than there are financial institutions issuing and processing those payments. 

While Reuter cited statistics for the U.S. only, Duncan's figures included the U.S. and 26 other countries, besides. Duncan also cited a report by LexisNexis and Javelin Strategy & Research that said fraud cost retailers 10 times more than it cost banks. However, this included all card fraud and not just that from data breaches.

Duncan also cast a share of the blame on PCI:

[M]erchants are expected to annually demonstrate PCI compliance to the card networks, often at considerable expense, in order to benefit from a promise that the merchants would be relieved of certain fraud inherent in the payment system, which PCI is supposed to prevent. However, certification by the networks as PCI-compliant apparently has not been able to adequately contain the growing fraud, and retailers report that the "promiseincreasingly has been abrogated or ignored.

Ultimately, Duncan said, retailers were at the mercy of the major card companies, the banks and PCI (a creation of the major card companies) that dictated payment procedures — which were obviously inadequate.

When it came to solving the problem of fraud, though, the NRF and the ABA were essentially in agreement about what was needed: chip-and-PIN transactions and a national standard for card security.

PCI Security Standards Council

For its part, PCI was on board with chip, but said nothing about chip-and-PIN. PCI CTO Troy Leach stayed out of the blame game but made it known that the government should butt out of standards development and leave it to PCI.

The Council believes that the development of standards to protect payment card data is something the private sector, and PCI specifically, is uniquely qualified to do. It is unlikely any government agency could duplicate the expansive reach, expertise and decisiveness of PCI. High profile events such as the recent breaches are a legitimate area of inquiry for the Congress, but should not serve as a justification to impose new government regulations. Any government standard in this area would likely be significantly less effective in addressing current threats, and less nimble in protecting consumers from future threats, than the constantly evolving PCI Standards. 

On Tuesday, the Senate Judiciary Committee will hear testimony from Target VP and CFO John Mulligan, as well as remarks by executives from Nieman Marcus, Consumers Union and Symantec. 

On Wednesday, representatives from Target and Neiman Marcus will go before a House panel to answer legislators' questions about why and how the breaches occurred.

Read more about security.

photo: jasmin saronjic

About Suzanne Cluckey

Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally.

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'