National data security standards for retailers: The way to keep consumers safe

In his recent commentary, Lyle Beckwith continues to push the myopic perspective of PIN technology. Unfortunately, his singular focus on credit card security ignores the need to protect consumers’ retail transactions in-store and online.  Last year on Cyber Monday alone, retailers racked up a record $3 billion-plus in online sales, according to Adobe Digital Index. Beckwith fails to consider the huge retail data breaches that occurred through malware and which would not have been prevented by the use of PINs. 

We have long stated EMV transition is an important step in the process of data security, but it is not a silver bullet.  In other countries, the transition has taken two to five years. Curiously, there has been a move away from PINs in both Canada and Europe. In fact, in Europe 20 percent of transaction volume is now EMV contactless, which doesn’t require PIN or signature authentication.

{mosads}Consumers will only be protected when every sector of industry, including merchants, issuers and networks, is subject to robust federal data safekeeping standards. Since 1999, financial institutions have adhered to the rigorous standards of the Gramm-Leach-Bliley Act that help safeguard consumers’ sensitive personal and financial information.  The Data Security Act of 2015 (H.R. 2205), introduced by Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.), would establish uniform national standards for protecting consumer payment and personal information, akin to Gramm-Leach-Bliley, and it would require all entities to have procedures in place to protect consumer data.

Under current rules, retailers are not subject to the Gramm-Leach-Bliley Act requirement to develop and maintain robust internal protections against network intrusions and data theft. Under H.R. 2205, retailers would be held responsible for implementing security measures to protect consumer data. These systems, which should start with the ability to process new EMV chip cards, should prevent data breaches from happening in the first place.  S. 961 is the companion bipartisan bill introduced by Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.), in the Senate.

The continued push for chip-and-PIN technology is another delay tactic for retailers to avoid true accountability through national data security standards. PINs were developed by the banking industry for verification purposes at unmanned ATMs.  It’s a static data element. Chip-and-PIN would not have prevented the big breaches at Target, Home Depot or any of the recent attacks at Wendy’s or Hyatt hotels. 

Financial institutions continue to pursue new technologies such as tokenization, biometrics like voice and fingerprint recognition and point-to-point encryption – all in addition to EMV chip cards.

Ultimately, true data security requires a multi-tiered approach, and new technology is only one part of that. There must be national data security standards for all businesses that handle financial information, including merchants. To stop fraud, we must work together to stem the tide of cyberattacks .

Hunt is executive vice president of Government Affairs and general counsel of the National Association of Federal Credit Unions.