On Tuesday, Feb. 4, the Senate Banking Subcommittee on National Security, International Trade and Finance held a hearing on protecting consumers’ data. Retail organizations, including the National Association of Convenience Stores (NACS), the National Retail Federation (NRF) and Retail Industry Leaders Association (RILA) spoke out on the importance of data security.
“Credit card companies make the cards and set the security standards. Merchants spend roughly $6.5 billion each year to help prevent fraud and protect customers but can’t make up for all the vulnerabilities that fraud-prone credit and debit cards have,” said Lyle Beckwith, senior vice president of government relations at NACS. “To best protect consumers, real security standards need to be established that aren’t based on proprietary models only the credit card companies oversee.”
NRF urged Congress to take a comprehensive approach as it contemplates a national response to criminal cyberattacks in which millions of consumers’ credit and debit card numbers were stolen. NRF said retailers are willing to do their part to improve security, but that banks and card companies must also take major steps to shore up the current fraud-prone payments system.
“When a criminal breach occurs in the payments system, all of the businesses that participate in that system and their shared customers are victimized,” NRF Senior Vice President and General Counsel Mallory Duncan said. “Rather than resort to blame and shame, the parties should work together to ensure that the data breach is remedied and steps are taken to prevent and mitigate future breaches.”
“Retailers take the increasing incidence of payment card fraud very seriously,” Duncan said. “We have every reason to want to see fraud reduced, but we have only a portion of the ability to make that happen. We did not design the [payments] system, we do not configure the cards and we do not issue the cards. We will work to effectively upgrade the system, but we cannot do it alone.”
In the short term, Duncan said the banking industry needs to replace current cards that store consumer data on 1960s-era magnetic strips, and have users sign their name with modern cards that encrypt data on an embedded microchip and require use of a secret Personal Identification Number, or PIN. Instead, banks and card companies have pushed so-called EMV – Europay, MasterCard and Visa – proprietary cards that use a chip but remain open to fraud by allowing the use of a signature. Duncan said replacement of easily forged signatures with a PIN and Chip card is essential to security.
In his testimony before a subcommittee of the Senate Banking, Housing and Urban Affairs Committee, Duncan urged the U.S. to look beyond the Payment Card Industry’s (PCI) security standards and proposed EMV cards, and embrace a more secure and technologically-advanced payments system that is as innovative as it is competitive. In the longer term, Duncan said further improvements, such as point-to-point encryption of data, “tokenization” of transactions and mobile payments offer potential solutions to better protect consumers.
Duncan also urged Congress to pass the Cyber Intelligence Sharing and Protection Act, which would make it easier for the commercial sector to share information about cyberthreats and ensure that cybercrimes are thoroughly investigated and prosecuted. He said NRF also wants Congress to replace the varying data breach notification laws currently on the books in 46 states and the District of Columbia with a single, uniform nationwide standard and bolster law enforcement agencies’ abilities to combat cyberattacks.
In a statement submitted to the U.S. Senate Judiciary Committee, the Retail Industry Leaders Association (RILA) highlighted the importance of collaboration in strengthening overall cybersecurity. The letter was submitted for the record ahead of the Subcommittee hearing, “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime.”
“Retailers take the threat of cyber attacks extremely seriously and work diligently every day to stay ahead of the sophisticated criminals behind them,” Bill Hughes, senior vice president of government affairs at RILA, stated in the letter. “Retailers employ many tactics and tools to secure data, such as data encryption, tokenization and other redundant internal controls, including a separation of duties. While these enhanced security measures help to rebuff attacks, retailers are constantly working to expand existing cybersecurity efforts.”
As part of the Cybersecurity and Data Privacy Initiative launched on Jan. 27, RILA is forming the Retail Cybersecurity Leaders Council (RCLC) to allow retailers to share treat information in a trusted forum. Further, RILA is calling for the development of both federal data breach notification legislation and federal cybersecurity legislation.
“Made up of senior retail executives responsible for cybersecurity, the RCLC will aim to improve industry-wide cybersecurity by providing a trusted forum for all stakeholders to share threat information and discuss effective security solutions,” continued Hughes in the letter. “RILA will engage with federal lawmakers and other stakeholders to develop sound and effective data breach notification and federal cybersecurity legislation that sets a national baseline to preempt the current patchwork of state laws and supports information sharing between the public- and private sectors.”
RILA members include more than 200 retailers, product manufacturers, and service suppliers.