It's still too early to estimate the total costs to U.S. credit unions from the Target card breach, according to executives whose organizations are tracking the numbers.
CUNA said it will collect loss data from all card-issuing credit unions, but stressed that participation in the survey would be voluntary. However, CUNA Spokesman Ben Fishel said the association hoped for a good response due to the large number of cards compromised.
“Frankly, we started collecting the data because we anticipated some lawmakers might want to see it,” Fishel explained, adding that CUNA might release the survey data as a summary.
Ann Davidson, senior consultant for risk management at CUNA Mutual Group, the primary insurer for the majority of U.S. credit unions, said it was still too early to calculate losses from the breach because the card brands have not yet released lists of all compromised card numbers.
Until the card brands and processors deliver all the lists, it is impossible for credit unions to know how many cards might be compromised, what their responses will be and the associated costs, she said.
Another lingering question is what the breach might mean to the PCI Data Standard, which card brands and processors have promulgated to help defend credit and debit cards from these sorts of breaches.
Bob Russo, general manager of the PCI Security Standards Council, said standards are merely the beginning of protection against theft, not the complete solution.
“It’s important to remember that the PCI DSS is the floor for card data security, not the ceiling,” he said. “A card data environment is under constant threat, so businesses must ensure their safeguards are also under constant vigilance, monitoring and where necessary, ongoing improvement. A layered approach to security is absolutely necessary to protect sensitive payment card data – without ongoing vigilance or a comprehensive security strategy, organizations may be just a change control away from noncompliance. Organizations must make protecting cardholder data a daily priority, not a one-time exercise, he added.
“An intrusion need not result in card data compromise if an organization is following the 12 guiding requirements of the PCI DSS,” Russo said.