A coalition of retailer trade groups this week struck back in a letter to President Barack Obama at criticisms from the National Association of Federal Credit Unions (NAFCU) that retailers are more at fault than banks for data breaches.
“NAFCU, an organization whose members suffer data breaches, should know better than to engage in the type of finger pointing they put in their letter,” the groups stated in the letter, which was signed by the National Grocers Association, the National Restaurant Association, and the National Association of Convenience Stores. “First and foremost, we should recognize that businesses whose data is breached are victims of crime. While we can and should do more to try to prevent such crimes, we ought to keep that in mind.”
The groups pointed out that Verizon’s most recent report on data breaches found that 34% of all data security incidents with actual data loss in 2013 were experienced by the financial industry. The retail sector saw 10.8% of events and hotels and restaurants experienced 10% of 1,367 total recorded events.
“Given these figures, and the news that 76 million accounts were compromised in the recent JP Morgan Chase breach, the financial industry should not be pretending that data security is a retail problem,” the groups said.
According to the letter, payment card fraud results in more losses to merchants – who already pay over $6.5 billion to guard against card fraud every year.
“Visa and MasterCard rules and Federal Reserve regulations demonstrate that merchants prepay financial institutions for the costs of re-issuing cards due to fraud concerns, prepay the fraud losses that financial institutions may have on payment cards and then pay again for the costs of fraud and re-issuing cards when merchants suffer data breaches,” the groups said. “Financial institutions do not reimburse merchants for fraud costs merchants incur when the financial institutions suffer data breaches. Nor, of course, do financial institutions object to getting paid for these costs twice.”
The real problem is the continued use of “fraud-prone” cards that allow criminals to access accounts with merely the number on the card. Financial institutions should be doing more to safeguard their customers’ accounts, the merchants’ groups said, such as consistent PIN use.
“The financial industry resistance to the use of PIN numbers – and, in fact, the practice of many credit unions of discouraging the use of PIN by charging their customers for using PIN numbers – directly contradicts our shared interest in improving data security. And, of course, it demonstrates in a concrete way that financial institutions are more focused on the higher fees they make from non-PIN transactions than they are in protecting consumers,” the groups said.
The NAFCU has recommended that retailers reimburse banks and credit unions for breach costs. The NGA, NRA and NACS say they already do, by paying the costs of fraud and the costs of re-issuing cards through card swipe fees and reimbursement.
“Banks and credit unions do not pay for merchants’ breach costs when the banks/credit unions are breached so adding the same responsibility onto banks/credit unions may be a point of common ground – especially if NAFCU thinks breached entities should only pay once as that would entitle merchants to substantial refunds,” the letter said.
The NAFCU also called for national standards for protecting information, for disclosure of breaches from retailers, and for retailers to limit data retention. The merchants’ letter charged back that banks and credit unions complicate the issue by not being able to accept encrypted data and requiring data retention to settle consumer disputes long after the purchase. The groups also said that federal law makes no requirement on banks to disclose their breaches and that retailers “have found that financial institutions have at times blamed merchants when those merchants were not the source of the breach.”
“Overall, NAFCU’s letter is more significant for what it doesn’t say than for what it does say. It is unfortunate that NAFCU would rather try to assign blame than constructively find ways to address the problems of data breach and fraud. In our view, progress can only be made on these important issues if we look objectively at facts rather than distracting from the real issues by looking for a scapegoat,” the groups concluded.
In a recent survey, NAFCU found that the majority of respondents (84.4 percent) were hit with a data breach in the last two years, exposing via “large retailer breaches” an average of 20.6 percent customer payment cards. NAFCU members also plan to spend more on data breach costs in 2015 than in 2014.
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
