Bank vs. Retailers: Who’s Responsible for Protecting Your Data?
Get ready for the blame game. The recent procession of payment card data breaches coming to light has the retail and financial industries trying to assign fault to each other. So, who should be held accountable for the breaches that have occurred to Target, Neiman Marcus, Michaels and, most recently, a number of hotels?
Obviously, every side has their own argument on how the blame should be placed on the other side.
Banks: Protect customer data
Banks and card issuers say that retailers aren’t taking the security measures to protect customer information, which is leaving banks and card issuers to clean up their mess by reissuing new cards and by sustain the losses that come from refunding fraudulent charges.
“Banks have proactively replaced millions of customers’ cards and allocated significant resources to correct a problem that, by all appearances, was not of their making,” said Richard Hunt, CEO of the Consumer Bankers Association, in a press release. “This comes at no small cost, and Target needs to take the financial responsibility where they are to blame.”
According to the CBA, member banks spent roughly $154 million to issue new cards to customers -- an average of $10 to replace nearly 15.4 million cards.
Banks and card issuers argue that retailers have to increase the security on their payment systems.
Retailers: Upgrade card technology
Retailers are pointing out that banks and card issuers should be offering enhanced payment cards that have secure chip technology. The U.S. has long been criticized for being slow to adopt new card technology -- called EMV -- that has already become a standard in many foreign countries.
The EMV chip cards are inserted into payment terminals (like an ATM slot) as opposed to swiped like most U.S. debit and credit cards. EMV chips support dynamic authentication, so that someone who steals transaction data cannot use it to make fraudulent purchases.
“The retail industry is eager to work with banks and card companies to fight cyber attacks and reduce fraud,” wrote Matthew Shay, president and CEO of the National Retail Federation, in letter to Congress. “These efforts include installation of sophisticated new PIN-enabled point-of-sale systems and readiness to adopt cards with more secure microchip technology, but the fact remains that retailers cannot do this alone.”
Mandates by U.S. card networks
Recognizing the need for next-generation card technology to thwart card fraud, major U.S. payment networks are leading the transition.
Visa, MasterCard, American Express and Discover issued mandates that required point-of-sale systems to support EMV chip technology by late 2015. Merchants that do not comply will have fraud liability shifted to them. (Deadline for fuel pumps was late 2017.)
Some U.S. credit card issuers, including Chase, American Express and Citi, have already started to provide EMV chip cards to customers. However, the chip card technology is commonly found on the more prestigious credit cards.
However, until EMV chip cards become the norm, the burden of safeguarding consumers’ payment data remains up in the air.
Let us know who you feel bears that responsibility: