The spat between retailers and banks over who foots the bill and bears the responsibility following a data breach is ramping up heading into 2015.
A group of retail trade groups on Monday fought back against what they call a misleading survey from the Independent Community Bankers of America (ICBA), which alleged banks are shelling out millions of dollars because retailers can’t secure their networks.
With little legal framework to govern retail data breaches, merchants and banks have spent 2014 bickering about who is at fault in the wake of an attack.
Retailers argue they are victims of malicious attacks, are rapidly improving their security and are calling on banks to quickly adopt the chip-enabled cards, a more secure technology than the current magnetic strip. Banks counter that they are moving toward chip technology, but that it’s helpless given the poor security standards at retailers.
The ICBA survey, released Dec. 18, said community banks had to reissue nearly 7.5 million credit and debit cards at a cost of $90 million in the wake of the massive Home Depot data breach, which exposed 56 million customers’ payment card information.
“We continue to advocate that the costs associated with data breaches be borne by the party that experiences the breach,” ICBA Chairman John Buhrmaster said at the time. “Communities and customers should not suffer for the faults of retailers.”
This statement, and survey in general, contained “inaccuracies and misrepresentations,” said the group of retailers, which included the Retail Industry Leaders Association, the National Retail Federation and the National Restaurant Association.
“ICBA cannot simply dismiss data breaches as a retail problem and refuse to recognize the risk to financial institutions — to do so would be a disservice to your members,” the groups said.
Retailers bear equal or greater costs after a data breach, they argued, pointing to a 2013 Federal Reserve study of debit card fraud.
Banks are also disingenuous about their switch to chip-enabled cards, the retailers said.
“While ICBA supports the movement to embedded-chip technology for credit and debit cards, the organization appears to only do so grudgingly, questioning its efficacy against data breaches,” they said.
Retailers called out ICBA on not committing to chip-and-PIN cards, where a microchip encrypts the credit card info, and the user confirms the purchase by entering an ATM-style PIN number.
Banks have pledged to move by October 2015 to at least chip-and-signature cards, which still has the microchip encryption, but is backed up by a more fallible signature.
“The added security provided when each customer is given a unique personal identification number or PIN has already been shown to make debit card transactions 700 percent safer,” the groups said.
The U.S. is the only major western country in the world that has not adopted chip-based cards.
Many of these liability issues could be resolved through data breach legislation. Congress held multiple hearings throughout 2014 to consider a possible bill to establish minimum data security standards. No serious proposal came close to passage.
An ongoing lawsuit between major U.S. banks and Target could also establish legal precedent for liability in the wake of a cyberattack. A late 2013 Target breach exposed 40 million customers’ payment information and banks are alleging they have not been properly reimbursed for their costs.