Right now, federal policymakers are debating how best to protect consumer data from hackers, a discussion that is long overdue. The House Small Business Committee will convene their second hearing today on the major security upgrade that the financial services industry is bringing to payment cards. Our industry is proud of this upgrade, but more needs to be done, especially by other industries that customers entrust with their personal data. The bottom line: retailers need to focus on protecting their customers’ data before it gets breached.
Unfortunately, some retail trade groups have chosen to fixate on mandating PINs, a static technology that only addresses a small and steadily declining share of fraud, rather than addressing what caused the high profile retail data breaches that compromised millions of Americans’ card accounts. These breaches weren’t caused by petty thieves swiping cards out of wallets – they were caused by organized crime rings exploiting gaps in retailers’ systems. For instance, it was found that hackers could access every cash register of a major national retailer simply by plugging in to their deli meat scales. In another large breach, criminals were able to break into the retailer’s systems through their air conditioning, a breach that allowed credit card information to go to a foreign country over the course of several months.
{mosads}The payments system will only be secure if everybody – banks, payment networks, retailers and consumers – works together to implement the latest technologies to stop criminals in their tracks. Unfortunately, consumers still don’t have the benefit of having their personal information protected everywhere through one common national data standard. In fact, while banks and other financial institutions are already subject to stringent data security and breach notification requirements under the Gramm-Leach-Bliley Act, no similar national standard exists for retailers.
As we saw in the case of these massive retailer breaches, without standards that ensure the security, confidentiality and integrity of sensitive consumer financial information, all of our privacy is at risk.
The negative consequences of this patchwork system are not lost on consumers. According to an American Bankers Association survey conducted by Ipsos, 78 percent of consumers said lawmakers should hold retailers, banks and other companies involved in the payments system to the same security standards. While it may seem like common sense, it is not currently the case and criminals know it.
Fortunately, bipartisan legislation has already been introduced that takes consumer protection seriously and would significantly improve the current system. The Data Security Act of 2015, introduced by Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) and Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.), provides the necessary framework for better security throughout the payments ecosystem. It establishes a uniform data security standard nationwide so that all businesses are held to the same high standard for consumer protection, underscoring that everybody must play a part in safeguarding consumer data.
Importantly, the bill also recognizes that no single technology can eliminate fraud, and that requiring a specific security feature would inhibit the private sector’s ability to innovate new technologies capable of thwarting sophisticated hackers. The U.S. is now the leader in chip cards and other advanced innovations, such as biometrics and tokenization technologies like Apple Pay, are being introduced to prevent emerging threats.
Now it’s time to turn our attention to what is needed to create the tough security infrastructure consumers deserve: a national standard for how businesses of all sizes must safeguard sensitive financial data.
Keating, former Republican governor of Oklahoma, is president and CEO of the American Bankers Association.