My Turn: Blame game is clouding truth about data breaches

By NANCY C. KYLE

For the Monitor

Last modified: 10/16/2014 12:28:31 AM

With cybercrime looming as an ever-present threat, everyone involved in commerce has a vested interest in protecting our customer data. This includes credit and debit card companies, card-issuing financial institutions and retail outlets where cards are used every day. Unfortunately, cybersecurity risks exist at all stages of the payment card transaction process. No industry is immune to cyberattacks. Recent high-profile breaches highlight the increased sophistication and coordination of these attacks, and merchants across the country are stepping up efforts to make customer information more secure.



Financial institutions, however, are at significant risk as well – as evidenced by other recent hacking incursions at J.P. Morgan Chase and Fidelity Investments. In fact, a study by Verizon found that more than one-third of all data-loss incidents last year were perpetrated against financial institutions.



This shared danger is precisely why card companies, retailers and banks of all sizes must work together to increase security for customers who use the services we provide. Finger-pointing and blame-shifting is unnecessary and counterproductive. Regrettably, that is what the New Hampshire Bankers Association engages in as recently reported by this newspaper (Monitor Local and State, Oct. 9).



Readers are left with the impression that banks were solely responsible for reimbursing customers for losses due to data breaches, with no contribution from retailers. This is inaccurate. Retailers do have a stake in the liability according to contractually agreed-upon formulas worked out between the card companies and issuers. Under MasterCard’s rules, for instance, retailers reimburse small financial institutions for fraud losses incurred on standard magnetic-stripe cards at a rate of $2.69 per card. Institutions issuing Visa cards operate under similar reimbursement agreements. A 2013 study of debit card fraud by the Federal Reserve found that retailers and issuing institutions actually shouldered relatively equal shares of losses brought on by cyberattacks.



The magnetic-stripe cards that most institutions in the U.S. issue, and which are thus used by most American consumers, are themselves part of the problem. The Bankers Association further contends that while banks “are largely successful in fending off cyberattacks,” they are hampered because “there is no similar protection at the retail level.” Putting aside the justifiable concerns likely felt by J.P. Morgan and Fidelity customers over their institutions’ ability to “fend off” attacks, the suggestion that merchants have no interest in additional customer protections is as blind as it is inaccurate.



Retailers have spearheaded efforts to adopt chip-and-PIN payment card technology in the United States. Already in use in every other G-20 nation, chip-and-PIN cards replace the 1960s-vintage magnetic stripes with a microchip. In addition, customers are given the extra security of a personal identification number to enter when making purchases. Chip-and-PIN’s effectiveness elsewhere is well-documented: It cut United Kingdom card fraud losses by half between 2008 and 2011, and Toronto-Dominion Bank has suggested that chip-and-PIN cards made Canadian Home Depot customers less exposed to damage from that company’s recent data breach. We can easily expect similar success in this country. The Federal Reserve Bank of Kansas City predicts that chip-and-PIN could reduce U.S. card fraud losses by up to 40 percent.



Merchants are eager to embrace this technology and have already taken steps to prepare stores nationwide. It would increase security for customers of banks, card companies and retailers as they do business in the digital age. As such, it is imperative that all of these institutions stop attempting to falsely shift blame for data breaches and fraud loss, and instead work together for the customer’s benefit.







(Nancy C. Kyle is president and CEO of the New Hampshire Retail Association.)





