Digital Transactions Authoritative, insightful and timely information for payments professionals
Jim Daly
Has the U.S. payment card industry invited federal regulation by taking so long to replace the magnetic stripe?
The massive data breach at Target Corp. as well as other cyber thefts at national retailers disclosed over the past six months have raised the unwelcome possibility among merchant acquirers, banks, and others in the payments industry that Congress could get itself involved in credit and debit card security.
The breaches themselves, and the closely related issue of a federal law governing consumer notifications about breaches to supersede the crazy-quilt of 47 state notification laws, spawned no fewer than half a dozen hearings in the Senate and House of Representatives in recent months, and more may be coming.
“I don’t think I’ve seen a case come up before Congress that’s had six hearings—that’s unheard of,” says Bob Russo, general manager of the PCI Security Standards Council. The Wakefield, Mass.-based organization oversees the Payment Card Industry data-security standard and two related sets of rules for card software and PIN-accepting devices.
In a worst-case scenario, according to many payments executives, Congress would take upon itself the task of dictating which security technologies or protocols the card industry should use.
Industry executives, however, consider that possibility unlikely, noting that mandates from Capitol Hill could hamstring them as they attempt to deploy new security systems—especially as the U.S. begins its switchover from vulnerable magnetic-stripe cards to more secure Europay-MasterCard-Visa (EMV) chip cards. The U.S. happens to be the last major industrial country not on the EMV standard, which has been around for about 20 years now.
Lawmakers and federal officials themselves downplay the from-on-high possibility.
“It doesn’t make any sense for the Congress to mandate specific technologies, but it does make sense … to say to industries that you have to keep up with changes, and if you don’t keep up with changes, then you’re liable,” Sen. Ed Markey, D-Mass., said at a March 26 Senate Commerce Committee hearing.
At that same hearing, Federal Trade Commission chairwoman Edith Ramirez said, “We believe that a flexible approach is the way to go here.”
But Congress can respond to signals differently from private-sector companies. Thanks to the recent data breaches at Target, Neiman Marcus, and other retailers, card security has become a national issue. Politicians sense that the public wants action, even if it may not know what action is best.
Sen. Amy Klobuchar, D-Minn., noted at a Feb. 4 Senate Judiciary Committee hearing at which Target’s chief financial officer, John Mulligan (who was appointed interim president and chief executive in early May after chief executive Gregg Steinhafel resigned), and Neiman Marcus’s chief information officer testified that “we get a lot of push-back” when the topic of bills addressing cybersecurity are proposed. However, she then added: “We have to do something.”
‘Digital Pickpocketing’
Minneapolis-based Target’s was far from the first big card breach. But when the nation’s second-largest general retailer reports that 40 million payment card numbers and non-card information on 70 million consumers were stolen, all eyes take notice.
“Target woke people up,” says Guy Chiarello, president of the big payment processor First Data Corp., Atlanta. “It’s a brand name. People shop there on a day-to-day basis.”
Acquirers and other executives in the card industry are now aware that the “we have to do something” sentiment could have implications for them. One more big breach, and it might be game over for the industry transitioning to EMV, or otherwise ramping up security, unimpeded by Washington.
“If we see another breach, Congress is going to feel compelled to do some kind of legislation,” says the PCI Council’s Russo, who felt the heat as a witness at two of the hearings. “Does the government really need to step in and do something? Target is a household name. If you’re exfiltrating 110 million records, there’s got to be an alarm that goes off somewhere.”
Some observers see a rationale for regulation developing that mimics the one that ultimately supported utility regulation: public safety.
Says smart-card technology consultant Maarten Bron, director of innovation for transaction security at testing firm UL (formerly Underwriters Laboratories): “The Target breach was a case of digital pickpocketing—one out of three citizens got affected. From a political point of view, this cannot be ignored. An issue becomes so large it affects public safety.”
One merchant-acquiring executive with painful data-breach experience believes more government involvement in security is on the way.
“There is likely to be a lot more regulation of our industry in a lot of areas because of the failure of our industry to regulate ourselves,” says Robert O. Carr, chief executive of Heartland Payment Systems Inc. “We’ve known about this [breach] problem for a long time.”
In early 2009, Princeton, N.J.-based Heartland disclosed what ultimately would go on record as the biggest payment-card data breach ever, with some 130 million card numbers compromised. The breach led Heartland to develop a new line of data-encrypting point-of-sale terminals and to become a leader in the push for better security.
Another Durbin?
The growing debate over industry self-regulation or activist governmental remediation in the wake of a crisis recalls the financial meltdown of 2008, which spurred Congress to pass the Dodd-Frank financial-reform act in 2010.
During the deliberations, U.S. Sen. Richard Durbin, D-Ill., the No. 2 Democrat in the upper chamber, slipped his debit card regulation amendment into the massive Dodd-Frank bill. With strong support from merchants, Durbin’s amendment survived a furious attempt by a surprised and weakened bank lobby to excise it.
Today, having government do something useful about card security should, in the payment industry’s mind, be limited to three major items. The first would have Congress come to a heretofore elusive agreement on a federal breach-notification law. With Kentucky’s recent passage of such a law, all but three states—Alabama, New Mexico, and South Dakota, according to the National Conference of State Legislatures—now have notification laws.
Merchants are complaining about the difficulty in complying with all their nuances and strongly prefer just one set of notification rules.
“A federal law that preempts the patchwork of state laws in place today will help ensure that customers receive timely notification and actionable information following a breach,” Sandy Kennedy, president of the Retail Industry Leaders Association, testified before the Senate’s Homeland Security and Governmental Affairs Committee April 2.
The topic has spawned five proposals in the Senate and two in the House. It’s a tug of war between retailers, banks, and other businesses on the one side that want discretion about when and what to disclose, and consumer advocates on the other side pushing for fast, full disclosures.
But some Washington veterans are optimistic that Congress can pass a bill acceptable to the major interest groups that would work better than the state laws.
“I think there’s a good chance that we may see some rationalization of that with a national breach law,” says Paul Smocer, president of BITS, the technology policy division of the Financial Services Roundtable, the Wall Street lobbying group.
Congress also could clear away legal obstacles to information sharing so that merchants that normally are competitors could exchange knowledge about data-security threats with each other and third parties without fear of being sued on antitrust grounds.
Other barriers to information sharing, according to Smocer, include questions of liability for disclosing breach-related intelligence about innocent parties. Such a case might involve, for example, disclosure of an unknowing consumer’s Internet Protocol (IP) address that cyber-thieves took over in a botnet. Would the bank or retailer that told others about it be liable in court or face regulatory penalties?
“The good-faith liability question is the biggie,” says Smocer.
Banks in 1999 established the Financial Services Information Sharing and Analysis Center (FS-ISAC) to promote the exchange of security information in their industry. Now, according to the National Retail Federation, retailers are developing a similar group tentatively known as the Retail Information Sharing and Analysis Center.
A third avenue of useful government action in data security involves stepped-up investigation and prosecution of cyber-thieves, including more international cooperation because so many hackers seem to reside in Eastern Europe (including Russia) and the Far East.
“There is a place for government—it’s law enforcement,” says Russo. “In many cases we know who these [criminal] people are, where they are. Let’s not forget who the bad guys are. Let’s get them.”
Getting the bad guys, however, is often easier said than done, especially when a hack originates overseas. Some Eastern European countries pay lip service to cooperating with U.S. computer-crime investigators and are loath to extradite suspects. In 2014, the situation has become even stickier because of Russia’s dispute with Ukraine, the latter of which has the sympathy of the West.
‘Things Change’
For now, payments-industry executives are telling anyone on Capitol Hill who will listen that, beyond the headlines, card fraud is actually relatively low and that they’re working diligently on the transition to chip cards and better security for new forms of payment such as mobile.
“I do find that when you talk to them directly that they are surprised that fraud is at or near historic lows,” says Ellen Richey, chief legal and chief risk officer at Visa Inc. (Bank card fraud rates of late have been about 6 basis points of charge volume.) She also reminds lawmakers that fraud occurs on only 2% to 5% of accounts exposed in a breach.
Richey, who testified on Capitol Hill, says Visa’s U.S. liability shift will be more effective in promoting security than any government mandate. Under that shift, effective for most merchants in October 2015, liability for counterfeit fraud resulting from a POS transaction will shift to the acquirer or issuer that doesn’t support EMV.
Other countries, mostly through regulatory channels, have mandated use of certain technology or authentication protocols that had unintended consequences, according to Richey.
For example, South Korea some years ago required use of a certain Microsoft Corp. application for online-commerce security that sidelined, at least for a while, consumers using non-Microsoft browsers.
And India mandated use of two-factor authentication for e-commerce. That tactic was “beneficial in their market in the short run,” she says. But in the long run, it didn’t account for the coming of transaction tokenization, a strong security technology that doesn’t rely on two-factor authentication.
“The whole point is things change, things develop,” says Richey.
Election-Year Issue?
Things are really changing and developing quickly in mobile payments. Ken Paull, chief executive of Boston-based Roam, the mobile-payments subsidiary of POS terminal maker Ingenico S.A., predicts government will closely examine mobile security but probably leave it to the industry to decide on the best fortifications.
“As [legislators and regulators] peel the onion they’re going to realize how technically complex this business is,” says Paull. “They will look to this industry enforcing [its own rules] as a first step.” He adds: “I think the PCI Council will need to step up and get more involved in governance of mobile POS.”
EMV, meanwhile, does not enhance online payment security. Online fraud has risen in EMV countries, and is rising in the U.S.
At the winter and spring hearings, some legislators displayed an awareness of seemingly arcane issues involving EMV cards that indicated they’ve studied the issue to at least some degree.
For example, Sen. Orrin Hatch, R-Utah, opined at the Senate Judiciary Committee hearing that chip-and-PIN authentication with EMV cards would provide better security than chip-and-signature.
Whether legislators will further their payment card security educations is unclear, especially if things settle down on the data-breach front. Viveca Ware, executive vice president of regulatory policy at the Independent Community Bankers of America trade group, notes that 2014 is an election year. The post-breach hearings gave lawmakers a chance to look consumer-friendly.
“You could have a lot of discussion without legislation enacted into law,” she says.
Even if more breaches occur, Congress may still show restraint, according to Ware, who says she’s discussed security with Congressional staffers.
“My sense is there is not an inclination for a mandate, an EMV mandate or technology mandate,” she says. “They understand the downside … the industry needs to have the flexibility with technology as the threats evolve.”
But cold statistics about fraud rates and the needs of industry could give way if more high-profile data breaches create a political imperative for governmental action.
—With additional reporting by John Stewart
