Who is responsible when consumer data is breached? The simple answer is the criminals who breach it. But the reality is that every industry that handles consumer data shares responsibility, including banks, the government, manufacturers, retailers, and others.
As merchants, we value the trust consumers place in us. This is why we invest billions of dollars every year to secure our systems and prevent cyberattacks.
Despite all efforts, data breaches unfortunately occur everywhere – in retail, financial institutions, telecommunications, healthcare, and other sectors. But the problem is made worse by the fact that just one industry group – card networks like Visa and MasterCard – have monopoly control over decisions on the security standards for payments. Other stakeholders like consumers, merchants, and even bankers are largely shut out of this process. That just doesn’t make sense. Everyone needs to work together to help secure the payment system.
That joint effort is what we need, and that is where Congress’ attention should be focused. Unfortunately, legislative debates around payment and data security legislation have been bogged down for years in squabbles about which industries could get special exemptions from notifying consumers about their data breaches. That is exactly the wrong conversation.
Customers see only a small part of the complex system that processes their payment data, when they swipe their cards or enter their information online. So here’s the scoop: The card networks alone established the Payment Card Industry, data security standards for payment data. While those standards get applied to financial institutions and merchants, the expertise of those financial institutions and merchants aren’t part of the decision-making process. That’s a lost opportunity. And given the sophistication and deep pockets of the hackers trying to steal payment data, we can’t afford to lose that expertise. The expertise and perspectives of consumers and their representatives also have been lost along the way. There is no question we need that, too.
Just one example of these problems is the difference in security between ATMs and points of sale at merchants. At ATMs, we use state-of-the-art technology to ensure not only that the card being used is legitimate but also that the person using the card is the right person. We check the person by making them enter a personal identification number.
At the point of sale in stores, however, only debit cards tend to have PINs that can be used to verify the person and the standards set by the card networks make it difficult to ensure those are used. That is a lost opportunity. PIN is state-of-the-art right now for ensuring the right person is using a card. We should be using PINs to prevent fraud everywhere we can and doing what we can to encourage their use.
If all industry groups were collaboratively working together on industry standards for payment security, we have no doubt that PIN and other fraud-reduction strategies would be used to their fullest. We would make sure there was redundancy in the card networks available to use to handle transactions and that things like end-to-end encryption and tokenization were used to protect data — on open-standards platforms that aren’t just owned by the large incumbent networks.
We should be focused on how industry standard-setting is happening today — and how it really should be happening. The bottom line is that having a single industry sector dominate standard-setting hasn’t worked and won’t work. We need everyone at the table on equal footing.
Congress can help make that happen. Or, it can remain stuck in the mud of special interest loopholes. We think it’s time to change the conversation and get payment security out of the mud.
Lyle Beckwith is senior vice president of government relations at the National Association of Convenience Stores. Stephanie Martz is senior vice president and general counsel for the National Retail Federation.
If you would like to write an op-ed for the Washington Examiner, please read our guidelines on submissions here.