Sadly, it is no surprise that another massive merchant data breach is in the news. It is also no surprise that the Home Depot data breach was discovered by the institutions that issued the compromised debit and credit cards and not the retailer who collected the data and subsequently lost it.
What is shocking is the fact that massive merchant data breaches have been going on for more than five years now. The failure to protect consumer financial data at point of sale has gone on for too long and too many merchants have failed to implement the type of rigorous and consistent standards necessary to protect this sensitive information.
The payment system is a three-way partnership that includes the consumer, card issuers and merchants. The consumer as well as credit unions and banks are going to great lengths to protect the information necessary to make it possible for the system to work, so why is it that after more than five years the merchant community still has not come up with a solution?
It is because data-security standards are inconsistent across the board and they most certainly should not be.
Credit unions and other financial institutions are subject to high data-protection standards under the Gramm-Leach-Bliley Act, but merchants are not subject to federal data-protection standards.
Under today’s federal law, there is no merchant accountability. That has to change. This lack of accountability on the part of the merchants is directly reflected in the small investment that they make in cybersecurity.
A recent article in The Wall Street Journal’s CIO Journal noted that financial institutions and the finance industry spend as much as $2,500 per employee on cybersecurity, while retail and consumer-products companies dedicate about $400 per employee. Also noted in the CIO Journal piece, the financial-services industry spends about 5.5 percent of information technology budgets on cybersecurity compared with 4 percent by retailers, according to Lawrence Pingree, research director at Gartner Inc.
EMV (a global standard for secure payment transactions), tokenization and other technologies are critical to the innovation of the payments system. However, before those investments are made, Congress has to make sure all of the participants are playing by the same set of data-security rules, and that merchants who hold consumer data and allow that data to be breached are responsible for the costs incurred by others.
When a data breach occurs, credit unions take steps to protect members. We know what to do because we’ve had to do it all too often. We notify our members, make a determination of whether to reissue debit and credit cards, increase call-center staff, set up account monitoring and other activity. These steps are not without cost, however; and the impact of merchant data breach-related costs is far reaching.
Credit unions are nonprofit financial cooperatives operating on already thin margins. These costs make a significant difference in the bottom line and therefore in our ability to offer services to members.
All participants in the payment process have a shared responsibility to protect consumer data, but the law and the incentive structure today allow merchants to abdicate that responsibility, making consumers vulnerable. Congress must act to protect consumers. •
Paul Gentile is the president of the Credit Union Association of Rhode Island.