While credit unions continue to warn members, NAFCU has called on Congress to address data security in light of the Target security breach affecting an estimated 40 million debit and credit card accounts.
“Financial institutions, including credit unions, have been subject to standards on data security since the passage of Gramm-Leach-Bliley. However, retailers and many other entities that handle sensitive personal financial data are not subject to these same standards, and they become victims of data breaches and data theft all too often,” NAFCU President/CEO Dan Berger said Thursday in a letter to House Speaker John Boehner (R-Ohio) and House Minority Leader Nancy Pelosi (D-Calif.).
“While these entities still get paid, financial institutions bear a significant burden as the issuers of payment cards used by millions of consumers. Credit unions suffer steep losses in re-establishing member safety after a data breach occurs.”
NAFCU urged Congress to hold hearings on the data protection standards of merchants and how to strengthen them.
“Furthermore, we recommend Congress take action to enact provisions to protect consumers from breaches that compromise their financial and personally identifiable information. Data security is a common-sense bipartisan issue that must be addressed,” the letter said.
NAFCU also made a serious of policy recommendations in the letter, including a requirement for a merchant or retailer who incurred a security breach to prove lack of fault.
“These parties should have the duty to demonstrate that they took all necessary precautions to guard consumers’ personal information but sustained a violation nonetheless. The law is currently vague on this issue, and NAFCU asks that this burden of proof be clarified in statute,” the letter said.
CUNA said on Friday that it has already reached out to major credit card companies about the personal data leak.
“We have already been in touch with Visa and other major card payments processors to ascertain the impact on credit unions, if any,” said CUNA President/CEO Bill Cheney.
“This latest breach – while at this point reportedly smaller than the March 2007 TJX Companies Inc., breach – once more raises the issue of the retailers’ responsibility in securing information for card transactions at their stores. Credit unions and other financials typically foot the bills for the breaches, in forms of issuing new cards and other security responses – as well as the reputational costs to member and customer trust in financial transactions using cards,” he added.
CUNA said it would continue to monitor the situation.
Some credit unions are already taking action.
The $5.4 billion Bethpage Federal Credit Union in Bethpage, N.Y. and the $4.9 billion Teachers Federal Credit Union in Long Island, N.Y. are in the process of contacting some of their members.
“Bethpage is currently identifying any member accounts that may have been impacted. If it is suspected that an account has been impacted, members will be contacted directly and a new card will be issued. In the meantime, existing cards can continue to be used,” said Bethpage’s official website.
“We are actively analyzing cardholder transactions to ascertain if any of our members are affected. Any cardholders identified during this analysis will be contacted,” said Teachers’ website.
John Buzzard from FICO's Card Alert Service said Target was most likely attacked from an external source.
“A compromise involving all 1,800 U.S. stores would point to more of a virtual intrusion,” he said. ”I don't think there were criminal minions on the ground physically visiting all 1,800 stores. I think many issuers are also wondering if they will eventually have PIN exposure around this compromise.”
Avivah Litan, analyst at Gartner Research said “it’s time for the U.S. card industry to move to chip/smart cards and stop expecting retailers to patch an insecure payment card system.”