GuestView: Credit Unions Argue That Retailers Are Not Penalized When Breached. May I Ask What Planet You Live On?

Steve Sommers is the Senior VP for applications development at Shift4 and this is a periodic GuestView on security issues.

A recent story in a popular security newsletter featured a headline that got my blood boiling and when I read the post, things only got worse. The essence of the piece involved the National Association of Federal Credit Unions (NAFCU) asking Congress to create laws to further punish victims of a breach. I assume NAFCU is hoping that whatever fines the government assesses on these merchants will be justly given to the issuers. The upshot is that merchants do not have any skin in the game when they are victims of a data breach. I vehemently beg to differ.

The original storystarted by saying that "banking institutions rarely recover the financial losses they suffer after cards are exposed as the result of a retail breach." In just the opening line, I can cite four facts that contradict the single point made. First, what are the real costs to the issuer? Key word here, "real" costs, not "inflated for a profit." Let's see: $2 for the plastic, $1 mailer, $1 postage, a generous $4 for labor and overhead. That works out to $8 total and these numbers are grossly padded. So why do I see reports by issuers claiming $25-$75 "cost" to replace a card? Can you say exaggerated?

Second, most of the payment card information stolen from merchant breaches is used for fraudulent card-not-present/e-commerce transactions. Most card-not-present fraud is charged back to the merchant even though the issuer issued an authorization code. The issuer has little or no liability for these fraudulent card-not-present transactions. Instead, merchants bear the cost burden. Maybe e-commerce merchants should band together and ask Congress to force issuers to honor the authorization codes they issued–the issuer should be more responsible (and liable) here.

Third, merchants are fined by the card brands for breaches. Reading this post you would think the merchant simply says, "Oops, my bad," and continues on without penalty as if nothing happened. Wrong. Merchants are fined (technically, their acquirer is fined and then passes it on), not just as the result of a breach, but also as the result of not being PCI compliant (which, in theory, is to prevent a breach).

Since PCI's inception (and even before), the card brands have argued that the fines paid by a breached merchant (OK, "reimbursement") are used to cover card replacement and other costs. This would indicate that the issuer gets a significant portion of these fines. If the issuer is not part of the fine revenue stream, then they should take this up with the card brands, not the merchants.Fourth, the entire card brand fee structure includes fraud-loss components. The fees the merchants pay to process payments include this component and the issuer shares in this revenue stream along with the acquirer and the card brand.

OK, so that’s four paragraphs on just the first line of the post. Let's move on. I’ll try to be more succinct.

Near the end of the second paragraph, the story touches on "asking Congress to step in and hold breached retailers and processors accountable when their lax security practices result in the leakage of card data." The blind leading the blind comes to mind here (or maybe the blind asking the blind).

The credit unions here are making the same misassumption that the card brands make in regard to a breach and this is my biggest beef with how PCI is enforced. There is no such thing as 100 percent security. A breach in and of itself does not "lax security practices" make.

In fact, I would wager that many of the headline-making breach victims in recent memory had better security in place than many of the credit unions pushing for this legislation.

In the fifth paragraph we read, "Retailers need to take on more responsibility for the breaches they suffer." Honestly, what world are these comments coming from? Are issuers so blind as to not have any clue what merchants are responsible and liable for? Let's list a few applicable costs and liabilities that merchants face each day:

  • Merchants pay discount rates that include fraud loss factors
  • Merchants must be PCI compliant
  • Merchants must purchase and properly configure routers and firewalls
  • Merchants must only use properly configured, PA-DSS compliant and/or certified compliant point-of-sale software (and while PCI has been around for quite a few years, many POS providers still surcharge for this compliance in the form of "updates")
  • Merchants must train their staff on secure handling of payment data
  • Merchants must take the time for annual SAQ preparation and submittal (time burner), and/or PCI scans (somewhat costly), and/or PCI assessments (costly)
  • And heaven forbid, if a merchant is breached: Merchant receives the black eye, not the issuer; merchant has to reimburse the fines originally assessed from each card brand; merchant receives fines and penalties from local, state, and federal governments; merchant is open to lawsuits from cardholders looking to profit.
A (Flawed) 5-Point Plan

NAFCU is proposing a five-point plan for regulatory relief. The fifth point of this plan "21st Century Data Security Standards"is, frankly, ridiculous. It appears to have completely forgotten about PCI.

Point five calls for Congress to:

  • Establish national standards for safekeeping of all financial information. Pretty sure PCI DSS has that covered.
  • Establish enforcement standards for data security that prohibit merchants from retaining financial data, and require merchants to disclose their data security policies to customers. Again, PCI. While I'm not aware of any requirement for merchants to post their security policies, they do need to comply with PCI DSS 100% of the time (which is an impossibility, but that’s a post for another day) and PCI’s standards are publicly available.
  • Hold merchants accountable for the costs of a data breach, especially when it was due to their own negligence; shift the burden of proof in data breach cases to the party that incurred a breach and require timely disclosures in the event of a breach. Once more, PCI’s got this covered. Oh, and the card brands go one step further and take negligence out of the equation. That’s right, NAFCU: they’ve already given you more than you even dreamed to ask for. If a merchant is breached, they are liable, negligent or not.
Now I’ll admit, I am confused by the "shift the burden of proof in data breach cases to the party that incurred a breach" part of this request. Proof of what? And what burden? Are they asking for the breached party that likely does not even know they were breached, to come forward and blindly admit they were breached? That needs some rethinking.

In the fourth paragraph of this section, the story says: "the PCI-DSS clearly prohibits the storing of card data." No, they don’t. PCI DSS clearly prohibits the storing of unencrypted card data. Small change, but there’s a major difference there.Now we come to the seventh paragraph in this section and—surprise—I fully agree, although I would like to add some personal color to the last sentence. "But there's no uniformity to PCI audits, nor is there uniformity to how the qualified security assessors who perform the audits carry out their reviews." Here at Shift4, our Director of Information Security, Stephen Ames, affectionately refers to QSAs as "snowflakes." Not because they are cold or light and fluffy but because no two are alike. As hard as PCI SSC attempts to standardize the assessments, assessors are people, too. Much of what they do is subjective. And if you think government involvement will help this, I’d like to call your attention to IRS auditors. Enough said? Unfortunately, I'm not sure you'll ever eliminate this factor from the equation.

All right, and now for the doozy: "Card issuers have to ensure they detect compromises as quickly as possible to limit their losses. As it is, issuing institutions are typically the first to identify an attack and link it to a breach." Well, I should hope so since that is part of their job. Can you say risk management? Now something these banks seem to miss is that merchants pay them for risk management. Issuers want to just sit back and collect all the free-flowing money that magically appears, forgetting that some of it actually requires them to work.

One last point: "But merchants and processors should be investing in systems and technologies that help them better detect the attacks their networks suffer. The problem is, they have little incentive to do so." The story called this one out as a key quote. I think they did it just to get me riled up. Honestly, I have no clue whatsoever where this came from. How can you claim merchants have little incentive to avoid breaches, the accompanying fines, and potentially damning tide of negative publicity and brand damage? I’m convinced it was either a massive oversight or a deliberate dig at merchants.

What are the banks and credit unions up to? If it's so costly for them to offer these products, why do they continue offering them to their clients? Let me take a wild guess – because it's profitable.

I frequent several forums that deal with payments and PCI. A recent post, made half in jest to an exasperated merchant, reminded us that "there is no law requiring merchants to accept credit or debit cards." As much as I hate that advice, I guess it can apply here as well.

There is no law requiring banks or credit unions to offer credit and debit cards to their clients. But somehow, I don’t see that happening. They want to reap the financial benefits and allow someone else to shoulder the costs and the burdens of risk management. Keep dreaming, NAFCU.