Feb. 5, 2015
By Sandy Kennedy, President of RILA
When it comes to consumer data breaches, everyone would acknowledge that 2014 was a difficult year. Major institutions both financial and retail were targeted with malicious cyber-attacks and more than 80 million J.P. Morgan Chase accountholders had their personal information exposed in a single hack. Unfortunately, it came as little surprise when a Wall Street Journal/NBC News poll released at the end of the year found that just under half of all Americans had received notice of a breach compromising their data.
In the face of these cyber-attacks, retailers are committed to fostering and enhancing customer trust. The Retail Industry Leaders Association (RILA) is working with Congress to provide assistance and ensure merchants have the partners and tools to fight a growing and sophisticated enemy and protect Americans.
The time is right for Congress to pass legislation that enacts a single, preemptive national data breach notification standard. So far, 47 individual states have such laws on the books to protect breach victims. While these state efforts are admirable, federal legislation would go a long way toward clearing up regulatory confusion for businesses and financial institutions that operate across state lines. At a hearing of the U.S. House Subcommittee on Commerce, Manufacturing and Trade recently, Brian Dodge of RILA told Members that a federal standard would provide “a clear set of expectations” for consumers across the country.
And in his State of the Union address, President Obama asked Congress for comprehensive legislation to fight the growing threat of cyber-crime. As this legislation continues to take shape, America’s retailers support bipartisan efforts to make streamlined breach notifications standards a top priority for this Congress.
The President specifically called for greater integration of intelligence in the face of online enemies, comparing this fight to the War on Terror. As attacks from state actors, cybercriminals and hacktivists increasingly target American businesses and financial institutions with more sophistication than ever before, U.S. retailers have been working to bring our industry and partners in government closer together to facilitate just the sort of integration the President is pursuing.
That is exactly what the RILA had in mind when we set up the Retail Cyber Intelligence Sharing Center (R-CISC) last year. Working with more than 50 major American retailers, along with security experts and federal law enforcement agencies, we organized the first retail Information Sharing Analysis Center (ISAC). The R-CISC is the cybersecurity resource for the industry, providing a conduit for information and best practices available for merchants large and small.
Acquiring and analyzing cyber-threat information is only part of the battle, however. It is also imperative to protect consumer data at the point of transaction itself. Here, too, government and retailers are leading by example.
The President recently announced the federal government’s latest progress in the shift to “chip-and-PIN” cards as their new standard. This is welcome news, as these cards use an embedded microchip to store information as opposed to the outdated magnetic stripe. They also require a personal identification number (PIN) for extra verification, making purchases even more secure, as virtually every other G-20 nation issues “chip-and-PIN” cards and these cards have proven to substantially reduce fraud.
At the same time, retailers continue to ready our stores to accept the new cards. Financial institutions, however, may be missing a crucial opportunity to provide their customers with the highest-available level of payment card security. While banks and credit unions intend to issue some 575 million new chip cards this year — according to The Wall Street Journal — these will not include the crucial PIN functionality, rendering them more vulnerable to fraud. Debit card holders already use PINs to make purchases and the Federal Reserve has determined that this small step makes those transactions up to 700 percent safer than those made without a PIN.
Despite the widespread use of PINs with debit cards and their proven safety benefits, big banks somehow did not find it necessary to include this feature on their new cards. Their excuse? Americans, they felt, just aren’t ready. Doug Johnson of the American Bankers Association recently told National Public Radio that American cardholders “are not accustomed to using a PIN within a credit environment.” Do banks not believe their member institutions’ customers will be able to memorize a few digits to go along with their credit card, despite many having already done so with debit cards?
The banks reportedly based their decision on market research. Since when, however, did the findings of a market research report take a back seat to customer security?
Americans want greater data security, plain and simple. Retailers are committed to this goal as well, and by supporting federal data breach notification standards, broadening American adoption of “chip-and-PIN” technology, and increasing our collaboration with government to fight cyber-threats through the R-CISC, we believe positive change will be achieved.
(This commentary was originally published in Roll Call, reprinted here with kind permission.)