It’s no secret that merchant data breaches have become a chronic issue. Two of the largest breaches in history have happened in the past ten months — Target and Home Depot. It appears the Home Depot breach may be the larger of the two.
Why are so many breaches happening? One reason is that data security standards are inconsistent across the country. This latest breach demonstrates the need for data security requirements for merchants. Financial institutions, including credit unions, are subject to high data protection standards by law while merchants are not subject to federal data protection standards; there is no merchant financial accountability.
According to a Credit Union National Association survey, the Target data breach cost credit unions in Florida more than $1.5 million. If the Home Depot breach is larger, you can see that credit unions will have considerable expense on a breach that they did not cause. The merchant does not incur any of these costs and, ultimately, the costs are passed along to consumers.
Congress has a role to play in addressing this issue. Lawmakers need to ensure all participants are playing by the same set of data security rules, and those merchants who hold consumer data and allow that data to be breached are responsible for the costs incurred by others. EMV (Europay-Visa-MasterCard) chips, tokenization, and other technologies are critical to the innovation of the payments system. Credit unions have little confidence that their efforts to secure their systems will result in greater member security until merchants are held to the same standards.
To protect consumers, credit unions are asking Congress to pass legislation that encompasses the following core principles:
- Provide a national standard for businesses to protect sensitive consumer information, rather than a myriad of differing state laws and regulations
- Ensure that merchants adhere to the same high-data security protection standards that financial institutions must follow
- Breached entities are responsible for investigating the source of the breach and reporting the breach to appropriate authorities and those affected in a timely manner
- Require the identified source of the breach to bear the cost of notifying and issuing new credit cards to affected consumers.
All participants in the payment process have a shared responsibility to protect consumer data, but the law and the incentive structure today allows merchants to abdicate that responsibility, making consumers vulnerable and placing the burden on financial institutions.
Congress must act to protect consumers by taking steps to enhance data security standards for merchants.
Patrick La Pine, president/CEO, League of Southeastern Credit Unions & Affiliates, Tallahassee