Credit Union lobby urges Congress to act on retailer data security failings

Credit Union lobby urges Congress to act on retailer data security failings

In the wake of the massive data card breach at Target retail stores in the US, the National Association of Federal Credit Unions (Nafcu) has urged Congress to crack down on data security weaknesses in the merchant industry.

Retail chain Target confirmed yesterday that approximately 40 million credit and debit card accounts may have been impacted over a two-week period beginning on Black Friday, the busiest shopping day of the year.

The stolen data includes customer names, credit and debit card numbers, card expiration dates and the CVV1 security code stored on the card's magnetic stripe.

The break-in at Target follows similar mammoth lapses at other major retailers, including TJX and Marshall's stores.

In a letter to House Speaker John Boehner and Minority Leader Nancy Pelosi, Nafcu President and CEO Dan Berger noted that financial institutions, including credit unions, have been subject to standards on data security since the passage of Gramm-Leach-Bliley. However, retailers and many other entities that handle sensitive personal financial data are not subject to these same standards.

Says Berger: "While these entities still get paid, financial institutions bear a significant burden as the issuers of payment cards used by millions of consumers. Credit unions suffer steep losses in re-establishing member safety after a data breach occurs. They are often forced to charge off fraud-related losses, many of which stem from a negligent entity's failure to protect sensitive financial and personal information or the illegal maintenance of such information in their systems."

The letter urges Congress to make data security a priority issue in 2014, including convening hearings on the data protection standards of merchants and what can be done to strengthen them.

It also calls for a legislative change that would enforce retailers to cover financial institution costs associated with a data breach and to address the violation of existing agreements and law by merchants and retailers who retain payment card information electronically.

Nafcu also supports the passage of legislation requiring any entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act, and rules requiring mandatory disclosure to consumers and banks of retailer breaches.

"Target Corporation is just the latest in a string of several large-scale data breaches impacting millions of American consumers. The aftermath of these previous breaches demonstrate what we have been communicating to Congress all along: credit unions and other financial institutions - not retailers and other entities - are out front protecting consumers, picking up the pieces after a data breach occurs," writes Berger. "It is the credit union or other financial institution that must notify its account holders, issue new cards, replenish stolen funds, change account numbers and accommodate increased customer service demands that inevitably follow a major data breach. Unfortunately, too often the negligent entity that caused these expenses by failing to protect consumer data loses nothing and is often undisclosed to the consumer."

Comments: (1)

A Finextra member
A Finextra member 20 December, 2013, 11:18Be the first to give this comment the thumbs up 0 likes

Crime will always migrate to the weakest point. Having failed to implement Chip & Pin in the USA it's innevitable that something like this would happen (again!), though why Target were keeping and storing the card security codes is beyond me!  It'd be interesting to know if they were PCI-DSS compliant and exactly how the compromise took place.....