Retailers apply common sense to cyber security

Many fingers pointed at Target after the retailer suffered a massive data breach during the holidays, but preventing the next cyber attack is beyond the scope of any single company, according to testimony retail representatives shared with lawmakers on Monday.

The issue of cyber security isn’t new, but it took a data breach the magnitude of the one experienced by Target — and the resulting consumer impact — to get legislators involved in the debate over a national solution. At a hearing on Monday on the topic of “securing consumers’ financial data,” members of the National Security and International Trade and Finance Subcommittee of the U.S. Senate Banking, Housing and Urban Affairs Committee heard from a breadth of stakeholders involved in a highly vulnerable national payment system.

“When a criminal breach occurs in the payments system, all of the businesses that participate in that system and their shared customers are victimized,” National Retail Federation SVP and general counsel Mallory Duncan testified at the hearing. “Rather than resort to blame and shame, the parties should work together to ensure that the data breach is remedied and steps are taken to prevent and mitigate future breaches.”

“We have every reason to want to see fraud reduced, but we have only a portion of the ability to make that happen. We did not design the (payments) system, we do not configure the cards and we do not issue the cards. We will work to effectively upgrade the system, but we cannot do it alone. This is a continuous battle against determined fraudsters. Every party in the payment system, financial institutions, networks, processors, retailers and consumers, has a role to play in reducing fraud,” according to Duncan’s testimony, which Echoing a familiar theme on behalf of the retail industry, Duncan noted, echoed a familiar theme on behalf of the retail industry.

Sharing in the “we’re all in this together,” point of view expressed by Duncan at the hearing was the Retail Industry Leaders Association (RILA). In written testimony submitted by the trade group, SVP of government affairs Bill Hughes said, “while retailers understand and manage their internal systems and security, they have little or no influence over the actions taken by other players in the payments universe, actions with enormous implications on fraud. Instead, retailers must rely on others in the payments ecosystem to dictate critical security decisions, including card technology, retailer terminals, and when data can be encrypted during the transmission between retailers and the card networks.”

According to Hughes, retailers have long argued that the card technology in place today is antiquated and because of that criminals can use stolen consumer data to create counterfeit cards with stunning ease.

“For years, retailers have urged banks and card networks to adopt the enhanced fraud prevention technology in use around the world here in the United States. While their resistance to doing so has been great, retailers continue to press all other stakeholders in the payments system to make this a priority,” Hughes said.

Hughes and NRF’s Duncan contend the banking industry needs to replace current cards that store consumer data on decades old magnetic stripe technology with state-of-the-art cards that encrypt data on an embedded microchip and require use of a personal identification number.

In his testimony, Duncan said the United States needs to look beyond the Payment Card Industry’s (PCI) security standards and new proposals to embrace a more secure and technologically-advanced payments system that is as innovative as it is competitive. In the longer term, Duncan said further improvements, such as point-to-point encryption of data, known as “tokenization,” of transactions and mobile payments offer potential solutions to better protect consumers.

Duncan also urged Congress to pass the Cyber Intelligence Sharing and Protection Act, which would make it easier for the commercial sector to share information about cyberthreats and ensure that cybercrimes are thoroughly investigated and prosecuted. He said NRF also wants Congress to replace the varying data breach notification laws currently on the books in 46 states and the District of Columbia with a single, uniform nationwide standard and bolster law enforcement agencies’ abilities to combat cyberattacks.