This latest incident follows other well-publicized breaches at nationally known retailers BJ's Wholesale Club, DSW, Chipotle's and Polo Ralph Lauren, and the theft of some 40 million cards from the database of a third-party merchant payment processing facility owned by CardSystems Solutions, Inc.

These breaches allowed hundreds of millions of dollars in fraudulent transactions and put millions of consumers at risk of becoming a fraud victim or having their identity stolen.

But there's a puzzling theme here. Hackers repeatedly have gained access to large volumes of information in databases that are supposed to be tightly guarded. The CEOs we hear from demand to know why merchants and their processors are improperly storing or retaining files with cardholder account data in the first place.

Credit card association rules clearly forbid the retention of cardholder data recorded on the magnetic stripe on the back of every debit and credit card. Yet, in the CardSystems breach and other retail breaches, the information was indeed retained–ripe for the picking.

When the TJX breach became public, Visa issued a statement indicating it had "provided the affected accounts to financial institutions so they can take steps to protect consumers." They might as well have said, "Here's a bucket and mop. Better start cleaning up this mess." This is an outrage. Card associations have been ineffective in enforcing their own rules and reticent in punishing flagrant violations of those rules by merchants who continually disregard them. If the full magnetic stripe data isn't retained after the transactions are completed, the information necessary to create counterfeit cards simply is not available. Although the card associations talk a good game about getting merchants and processors to comply, they are not doing enough to enforce their own rules.

When informed of the breaches, credit unions, banks and other card-issuing institutions must scramble to monitor accounts for fraud or cancel them and reissue new cards with new account numbers. Replacing plastic cards is a painstaking, expensive process costing institutions as much as $20 or more per card not to mention the loss of member confidence and member inconvenience.

Consumers pay a price, too. Many reasonably question just how safe their personal information is when they hand their card to a merchant or make an online purchase.

Even if cardholders are not directly defrauded, they still may face the hassle that comes when a card is blocked and reissued. For example, many use plastic cards to pay recurring bills. When a card is blocked and reissued, the cardholder must contact merchants, utility companies and other service providers to inform them of their new account information. Zero liability may help the cardholders when fraud is actually committed, but it's useless in dealing with inconveniences these breaches cause.

The bottom line is that the parties responsible for security breaches must be held accountable. In March 2005, CUNA Mutual filed suit against BJ's Wholesale Club and the Fifth Third Bank on behalf of about 200 of our credit union policyholders that suffered losses from a March 2004 security breach affecting the debit and credit cards of more than 1 million consumers.

The case continues, and we hope to recover the $18 million-plus in losses our credit union policyholders and CUNA Mutual experienced as a result of the BJ's Wholesale card compromise. These losses include fraud losses credit unions have incurred, but have been unable to recover, as well as expenses associated with the blocking costs and the reissue of all affected cards. But litigation is a last resort. A better solution would be more rigorous standards, enforcement and credit card industry requirements. Self-audits of credit card handling systems should be abolished. Establishing standards and confirming that they are audited correctly are crucial to protecting cardholder data.

Most important, payment system parties that continue to violate card association rules should be held fully accountable for all fraud losses and operating expenses incurred as a result of these avoidable data breaches. Those responsible should be accountable. Period.

Federal legislation is needed to enforce such tougher standards. Although some states have passed security-breach measures, a patchwork of conflicting state laws will create confusion, raise costs and result in different standards of data security depending upon the state where consumers live.

Congress must establish notification and monitoring requirements and regulatory oversight for breach of data security. Likewise, it is important that federal law holds those who are truly negligent and irresponsible in their management of personal data liable for the harm that ensues.

But we suffer no illusions. Powerful forces can be expected to counsel Congress against tough action. We expect to hear strong voices for the unacceptable status quo.

The situation will not fix itself. It must be reversed quickly. Otherwise, the entire plastic card payment system could be undermined and feed a growing perception of a corporate America that lacks integrity, responsibility and accountability.