Banklike data security rules for retailers would reduce breaches

Target’s recent settlement with 47 states and the District of Columbia over the retailer’s 2013 data breach brought to mind this well-known John F. Kennedy quote: “There are risks and costs to a program of action — but they are far less than the long-range cost of comfortable inaction.”

The $18 million settlement is in addition to $202 million in legal fees and other expenses resulting from the breach, in which hackers stole data from up to 40 million credit and debit cards of shoppers who had visited Target stores during the holiday season.

With hacking and data breaches on the rise, it is more important than ever for merchants to protect their customers’ personal financial information. New reports surface almost weekly of the sneaky methods used by hackers, like skimmers and malware, to steal credit card numbers and other identification for their criminal activities. It is time for merchants to take data security more seriously and invest in their customers’ safety.

Christopher Dilts/Bloomberg

As of June 6, there have already been over 700 data breaches in 2017, exposing over 10.8 million records, according to the Identity Theft Resource Center. Retailers are among some of the biggest targets, and restaurants and hotels are increasingly falling victim, too.

Today's consumers choose to pay with credit cards and other electronic payment methods at places they frequent on a regular basis, trusting that large corporations have security protocols in place. Some companies may have invested time and money in new infrastructure to protect consumer information, but retailers are not held to the same data security standards as the financial sector, which is subject to regulation and oversight by the federal government.

The hotel industry was affected by a massive data breach that surfaced on May 4. Sabre Corp., a Texas technology company that provides reservation software to more than 32,000 hotels worldwide, was notified of unauthorized access to payment information, and quickly scrambled to close the loophole in their data security system. Sabre still does not know how much information was compromised.

Arby’s was another recent hacker target. As was reported in February, from October 2016 through January 2017 as many as 355,000 credit cards were compromised due to a malware attack on cash registers. Arby’s became aware of the hack in mid-January, after the company was alerted by a credit monitoring service.

Best American Hospitality Corp., the restaurant group that owns Church’s Chicken and the 70-year-old Shoney’s chain, also suffered a breach that started in late December 2016 and went through early March. That breach, too, was caused by cash registers infected with malware at 37 locations. Credit card numbers, customer names, expiration dates and verification codes were all compromised.

Just last week, Sears announced that payment systems for its Kmart stores had been infected with malware. Though Sears says the attack was identified and contained, it did confirm that customers’ credit card information was compromised.

Banks are not immune from hacking, yet experts point out that financial institutions have significantly upped their data security efforts to protect their customers. The ITRC found that, of the 1,093 data breaches reported last year, the financial services industry suffered just 4.8% of them — the lowest of any sector.

"With the world's money at stake, financial services firms have always invested more heavily in the tools needed to protect their data, and that shows in the numbers," said Andy Kicklighter, director of product security for Thales e-security. "Versus other industries, they also have a larger number of industry standards and government regulations to comply with, which improves their baseline for data security."

Hacking retailers results in costs not just for the retailer but also for banks. One of the biggest data breaches in history, the 2014 Home Depot breach, is costing Home Depot $25 million in damages, according to the terms of a new settlement with banks.

Because of these breaches, banks have had to reissue tens of millions of credit cards — a significant burden, especially for small local banks. The 50 million customers who had their credit card numbers and email addresses stolen in the Home Depot breach show that there is a clear need not only for retailers to take security more seriously, but also for action from the federal government. We cannot allow criminals to continue taking advantage of a deadly combination of weak and outdated technology coupled with inconsistent regulations.

Banks already have their bases covered on this. The Gramm-Leach-Bliley Act of 1999 established federal oversight of banks’ security measures and put regulations in place to make sure banks protect their customers. Retailers and other businesses are not subject to these same federal regulations. Rather, they follow a patchwork of state data security laws. Even though they process and store customer information, they do not have to abide by any federal standards.

The Electronic Payments Coalition would strongly support legislation that brings retailers into a uniform standard with banks for protecting consumer financial data. We realize that not all businesses, like small mom-and-pop shops, deal with the same amount of consumer data as large corporate entities like Home Depot, so legislation should not take a one-size-fits-all approach. Nor can small businesses afford expensive infrastructure. The emphasis for any legislation should be on large companies, which suffer massive breaches but then turn to banks to clean up the mess on the consumer end by reissuing cards.

Consumers should be outraged that hackers have so easily compromised everyday economic transactions. Retailers must work to restore the trust lost and make sure their technology is up to date and secure. These most recent breaches should motivate merchants to push for uniform standards that will bring them in line with standards that banks comply with for protecting their consumers.