Credit union and banking trade organizations fired off a letter Wednesday to members of the Senate that counter what they said were false claims from the retail industry on data security.
“They have made, and continue to make, several misleading and counterproductive statements about the breaches and the position of banks and credit unions across the country,” said the letter from CUNA, NAFCU, the American Bankers Association, the Independent Community Bankers of America and others.
The groups specifically challenged three points:
1. Financial institutions suffer more data breaches than retailers.
Mallory Duncan, general counsel for the National Retail Federation, testified before a Senate subcommittee on Monday, citing a Verizon analysis of more than 47,000 security incidents and 621 confirmed data breaches that took place during the prior year.
“Virtually every part of the economy was hit in some way: 37% of breaches happened at financial institutions; 24% happened at retail; 20% happened at manufacturing, transportation and utility companies; and 20% happened at information and professional services firms,” he said in his written testimony.
Financial trades fired back.
“According to the much respected Identity Theft Resource Center, 77% of breaches in 2013 occurred at healthcare facilities and businesses, including retailers. That’s compared to just 4% at financial institutions. Unlike studies cited by retail groups, these are actual breaches in the United States and not merely reports on ‘incidents,’” their letter said.
2. Card issuers have fought chip-and-PIN technology.
The National Retail Federation said it supports an “immediate transition” from magnetic strip cards to chip-and-PIN technology to secure personal data, but it has faced opposition from card issuers.
“For years, banks have continued to issue fraud-prone magnetic strip cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN and chip card technology for customers in Europe and dozens of other markets,” Matthew Shay, president/CEO of the National Retail Federation, said in a Jan. 21 letter to congressional leaders.
“The retail industry is eager to work with banks and card companies to fight cyber attacks and reduce fraud. These efforts include installation of sophisticated new PIN-enabled point-of-sale-systems and readiness to adopt cards with more secure microchip technology, but the fact remains that retailers cannot do this alone,” Shay added.
NAFCU, CUNA and the bankers countered that recent breaches at Target and Neiman Marcus involved intrusions into their computer networks.
“These compromises have nothing to do with card technology (e.g., “Chip and PIN”) and everything to do with holes in internal firewalls at these companies that criminals are exploiting,” the letter said.
3. Retailers are shut out of payment systems progress.
Duncan said in his testimony that “while the banks are intimately connected to Visa and MasterCard, merchants and consumers have virtually no role in designing the payment system. Rather they are bound to it by separate agreements issued by financial intermediaries.”
He also said “retailers are essentially at the mercy of the dominant credit card companies when it comes to protecting payment card data.”
Financial trades disagree.
“It is the nation’s banks and credit unions that initially make consumers whole, often receiving minimal reimbursement for their efforts. Certain retail groups cannot be allowed to divert attention and duck their responsibility for protecting the sensitive personal information of consumers by always claiming that it’s someone else’s fault,” the groups said.
The groups also said that while Target and Neiman Marcus accepted their share of the responsibility for the data breaches that occurred, others in the retail industry have not taken the same approach.