You are here
The National Retail Federation (NRF) and the Retail Industry Leaders Association (RILA) are advocating collaboration as the best response to criminal cyberattacks resulting in the theft of millions of consumers’ credit and debit card numbers. According to Washington, D.C.-based NRF, retailers are willing to help improve security, but banks and card companies need also to fix the current payments system.
“When a criminal breach occurs in the payments system, all of the businesses that participate in that system and their shared customers are victimized,” noted NRF SVP and General Counsel Mallory Duncan. “Rather than resort to blame and shame, the parties should work together to ensure that the data breach is remedied and steps are taken to prevent and mitigate future breaches.”
Added Duncan: “Retailers take the increasing incidence of payment card fraud very seriously. We have every reason to want to see fraud reduced, but we have only a portion of the ability to make that happen. We did not design the [payments] system, we do not configure the cards and we do not issue the cards. We will work to effectively upgrade the system, but we cannot do it alone.”
At press time, Duncan was slated to testify Feb. 3 before a hearing on data security being held by a subcommittee of the Senate Banking, Housing and Urban Affairs Committee. In testimony prepared in advance of the hearing, he said that in the short term, the banking industry must replace outdated magnetic-stripe technology with modern cards that encrypt data on an embedded microchip and require use of a secret personal identification number (PIN), rather than banks’ and card companies’ more fraud-prone EMV (Europay, MasterCard and Visa) proprietary cards.
Duncan’s testimony instead urged the adoption of a more secure and technologically advanced payments system that would eventually offer such improvements as point-to-point encryption of data, and “tokenization” of transactions and mobile payments.
He further encouraged Congress to pass the Cyber Intelligence Sharing and Protection Act, which would make it easier for the commercial sector to share information on cyberthreats and make sure that cybercrimes are thoroughly investigated and prosecuted. According to Duncan, NRF also wants Congress to replace the varying data-breach notification laws currently enacted in 46 states and the District of Columbia with a single, uniform nationwide standard, and enhance law enforcement agencies’ abilities to fight cyberattacks.
In a letter to the committee, Bill Hughes, SVP of government affairs at Arlington, Va.-based RILA, wrote: "While retailers understand and manage their internal systems and security, they have little or no influence over the actions taken by other players in the payments universe, actions with enormous implications on fraud. Instead, retailers must rely on others in the payments ecosystem to dictate critical security decisions, including card technology, retailer terminals, and when data can be encrypted during the transmission between retailers and the card networks. Retailers have long argued that the card technology in place today is antiquated, and because of that, criminals can use stolen consumer data to create counterfeit cards with stunning ease."
Hughes' letter continued that "RILA is reaching out to representatives across the merchant community, as well as those representing the card networks and financial institutions of all sizes, in an effort to work together to identify near- and long-term solutions." The organization's Cybersecurity and Data Privacy Initiative launched late last month.