Perspective: Payment system security needs less talk, more action

Finger-pointing between retailers and banks in wake of Target breach a symptom of the problem; Congress likely to step in

Retailers and banks must move quickly to figure out who should be responsible for better securing the payments system network or risk having Congress decide for them.

In the weeks since a massive data breach at retailer Target, banks and retail industry groups have been ferociously blaming each other for not doing enough to prevent such hack attacks. The latest debate continues a longstanding feud that has stalled progress on efforts to improve credit and debit card security.

Both sides need a change in attutude.

The American Bankers Association (ABA), Credit Union National Association (CUNA), the National Association of Federal Credit Unions (NAFCU) and others have renewed calls for regulations that would require retailers to implement stronger data security controls.

"When a retailer like Target speaks of its customers having 'zero liability' from fraudulent transactions, it is because our nation's banks are providing that relief, not the retailer that suffered the breach," ABA president Frank Keating said in a letter to Congress earlier this month.

In an opinion piece posted on, last week, NAFCU CEO Dan Berger chided retailers for downplaying their role in safeguarding sensitive customer data.

The Gramm-Leach Bliley Act for years has required that banks and credit unions implement strong data security controls, he noted, and now it's time to implement similar rules for retailers. "If retailers want to reap the rewards of consumer sales, they should also take an active role in protecting their data," Berger said.

According to CUNA, credit unions to date have so far spent more than $30 million to recall and reissue credit and debit cards impacted in the Target breach. When fraud related costs are factored in, credit unions could end up paying a much higher price for Target's folly, according to the association.

"Contrary to what some may think, these expenses will not be reimbursed to credit unions and their members by Target or other retailers," CUNA President and CEO Bill Cheney said in a statement "Rather, credit unions must solely cover these costs of their card program administration, including in these circumstances of reacting to a merchant data breach."

Meanwhile, the influential National Retail Federation (NRF) deftly responded by placing the blame for breaches on card technology used by banks and credit unions around the U.S.

"For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN and Chip card technology for customers in Europe and dozens of other markets," NRF President and CEO Matthew Shay said in a letter to two lawmakers this week.

Retailers are ready and willing to make the switch to PIN and Chip cards, but banks have dragged their feet, Shay contended. "The fact remains that retailers cannot do this alone."

Disagreements over who should shoulder responsibility for data security have become de rigueur after every major breach over the past few years. The same questions and concerns voiced after the Target breach were also aired after a major breach at TJX more than five years ago.

Retailers continue to insist they are doing all they can to keep customer data secure, while banks have claim they must bear too much of the costs of retail security breaches. Efforts to close the gap have see little real progress over the past several years.

Retailers, especially big ones, must focus most of their information security efforts on compliance with the Payment Card Industry Data Security Standard, a set of security requirements mandated by Visa, MasterCard, American Express and other credit card associations.

The PCI standards aim to get retailers to adopt best practices for protecting credit and debit card data. Over the years, compliance with the standard has become the security end goal for many retailers. Target and other top retailers have spent tens of millions of dollars on ensuring PCI compliance over the past few years.

The payback on these investments have to date been somewhat mixed.

Retailers continue to remain huge targets for data thieves. The Target breach alone resulted in the compromise of more than 40 million credit and debit cards and the exposure of personal data from some 70 million more people. At least three other retailers, including Neiman Marcus, were recently compromised in similar fashion.

Data breaches in recent years have forced retailers to pay tens and even hundreds of millions of dollars in remediation, legal and other costs.

Still, the payment card industry does not have so much as an information sharing and analysis center for disseminating malware and threat-related data like almost every other major sector does.

Several PCI-compliant companies have suffered breaches, raising questions about the effectiveness of the standards, which critics say has failed to keep up with fast evolving security threats.

Gartner analyst Avivah Litan noted in a blog post this week that nothing in the PCI standard would have helped Target detect the malware used to attack its point-of-sale system network.

Other efforts to improve payments systems security, such as end-to-end encryption and tokenization of payment card data, have also had limited success because of relatively low adoption levels. Retailers who have adopted such measures sometimes claim they are forced to decrypt data before sending it to their bank.

Banks have also continued to drag their feet on chip and PIN technology.

Organizations like CUNA have been quick to note that updated technology, also known as Europay MasterCard Visa (EMV) smartcard, would likely have done little to stop the Target incident.

Even so, EMV is widely considered better than the magnetic stripe technology used to encode data in most credit and debit cards issued in the U.S., which is one of the few countries not to adopt EMV.

The NRF insists that retailers are ready and willing to make the investments necessary to switch to the EMV standard. But banks have so far at least not been willing to make the switch.

The scope of the Target breach drew the attention of lawmakers. Members of the House Financial Services Committee have called for a hearing on the breach to look into what might have happened and to figure out if new data protection mandates are needed for retailers.

While the ABA, CUNA and other banking groups would welcome such federal intervention, it could spell trouble for retailers.

In the aftermath of the TJX breach back in 2007, some lawmakers wanted to require that retailers implement data security standards similar to those imposed on financial services companies.

Retailers argued then that such measures aren't needed because the data they handle is far less sensitive than that maintained by banks and other financial institutions. Even so, there's a real risk that the breach will prompt Congress to significantly expand the scope of mandated data protection requirements.

It's now time for an industry-wide discussion on data security, says Cathy Hotka, a long-time retail consultant who helped set up the CIO Council at the NRF years ago.

Ten years ago, a Target-like breach would have been seen as an unfortunate one-off incident, Hotka says.

These days, she said, "We know there are these spectacularly sophisticated tools that bad guys can use to gain access to any network. They are vastly better equipped than they used to be [so] the time for action is now."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingTargetsecurityprivacy

More about ABAAmerican Express AustraliaBillCIO CouncilGartnerTopicVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts