Banks, Retailers Clash Over Cybersecurity Measures

WASHINGTON — Merchant and banking groups are again at odds over cybersecurity policy, sparring over who's to blame for recent data breaches and how lawmakers can ensure greater protections.

A handful of financial groups, including the American Bankers Association, the National Association of Federal Credit Unions and The Clearing House, penned a letter Wednesday to House and Senate leaders firing back against the retailers for their own letter to Congress last week.

The banking groups charge that the retailers' missive was "inaccurate and misleading," warning that their policy recommendations fail to improve oversight within the retail community. 

The two industries have pointed fingers at each other since a high-profile data breach at Target came to light last winter. Retailers have repeatedly called for chip and PIN technology to be added to credit cards, though the technology would not have stopped the Target attack or the many other breaches at retailers and banks alike.

"[T]he failure of the payment cards themselves to be secured by anything more sophisticated than an easily-forged signature makes the card numbers particularly attractive to criminals and the cards themselves vulnerable to fraudulent misuse," said the National Retail Federation and several dozen other retail groups in their Nov. 6 letter. "Better security at the source of the problem is needed. The protection of American's sensitive financial information is not an issue on which sacrificing comprehensiveness makes any sense at all."

But bankers have pushed back, arguing that increased protections are needed at the merchants as well as within the payments system.

"Financial institutions on their own are aggressively implementing new systems and leading the development of new technologies like tokenization to combat the ever-changing criminal threat," financial services groups added in their letter. "At the same time, the financial services industry is committed to working with all stakeholders to ensure that data breach protections are a shared responsibility requiring everyone in the payments chain to have a heightened awareness of potential emerging threats and work to address them."

Retailers have also asked Congress to pass a uniform breach notification measure to replace the patchwork of rules in place across different states.

But bankers warned that a federal breach notification law alone isn't enough to stop cyberattacks.

"It is only when coupled with the development of strong internal data protection standards and robust oversight that the retail community will find itself in a better position to protect consumers and their confidential personal financial information from criminal abuse," the financial groups said.

The fight wages on despite early efforts to collaborate after the Target breach, including the formation of a cybersecurity partnership between the industries in February.

For reprint and licensing requests for this article, click here.
Law and regulation
MORE FROM AMERICAN BANKER