Retailer organizations are lambasting an Independent Community Bankers of America survey that blamed retailers for breach costs that totaled $90 million at The Home Depot Inc. this year.
In a letter to the ICBA and bearing Monday’s date, the chief executives of the Retail Industry Leaders Association, National Retail Federation, National Grocers Association, Merchant Advisory Group, National Association of Convenience Stores, Food Marketing Institute, and the National Restaurant Association, claim the ICBA’s principles for improving breach countermeasures are “based in part on misinformation and at best incomplete.”
The ICBA, a trade group for small financial institutions, did not respond to a Digital Transactions News request for comment on the letter. In a press release accompanying its survey results and dated Dec. 18, the organization said its members had reissued nearly 7.5 million credit and debit cards in the wake of the Home Depot compromise.
The retailers are upset about ICBA suggestions that breached organization should bear the costs of remedying a breach; that the Gramm-Leach-Bliley Act banking law is sufficient as a model for data-security standards; that more information needs to be determined; and that smart cards alone may not have prevented some recent retailer breaches. The ICBA’s Dec. 18 release said the organization “continues to advocate key data-security principles to Congress and the payment card networks.”
In particular, the retailer organizations take exception to a remark in the ICBA release attributed to John Buhrmaster, ICBA chairman and president and chief executive of 1st National Bank of Scotia, N.Y.: “Communities and customers should not suffer for the faults of retailers.” The remark insinuates “that merchants are shirking their responsibility and this is simply inaccurate,” the merchant groups argue in their letter.
The costs of correcting a data breach, such as by issuing new cards, are shared, the retailers say. “Merchants contribute to the costs of reissuing cards not only through swipe fees, but through contractual agreements between Visa and MasterCard and your member institutions,” the retailers say.
They also contend that extending the Gramm-Leach-Bliley act to merchants is insufficient because “banks have significant discretion over what customers are actually told under the law, and whether they are told anything at all.”
As to the ICBA’s call for greater information, the retailers say they already participate in two major organizations dedicated to this. One is the Retail Cyber Intelligence Sharing Center, a recently launched effort by RILA to enable information sharing among retailers. The other is their participation in the Merchant Financial Cyber Partnership, a newly-formed entity that uniquely includes eight financial-services trade associations, including the ICBA, and 11 merchant groups.
“We appreciate working with the ICBA as part of the partnership, but find accusations like those in your recent press release to be extremely counterproductive to our joint efforts,” the retailer groups say.
The retailers also took umbrage over what they perceived as the ICBA’s lack of specificity regarding chip card technology. The U.S. payment card system is in the midst of converting to credit and debit cards that use chips instead of magnetic stripes to authenticate the veracity of a card.
“Furthermore, the ICBA only references general ‘chip technology’ and not the more secure type—‘chip-and-PIN’—for which we are advocating,” the retailers say.
Retailers want consumers to use PINs to authenticate their chip cards instead of signatures because, they say, PINs provide better security than signatures. Issuers and card brands generally prefer signature because consumers already are used to signing when making a payment with a credit card.
“For the sake of our customers and all American consumers, it is crucial that organizations like ours work together to make electronic payments more secure,” the retailer says. “By clearing up misinformation and fostering open dialogue, it is our hope to achieve this common and critical goal.”