NRF: 4 lies about data security

What if a government agency held hearings on fraud protection and data security, prompted by recent data breaches at national retailers, and failed to invite a single retailer?

That's exactly what happened when the House Financial Services Committee's Subcommittee on Financial Institutions and Consumer Credit held a hearing on "Data Security: Examining Efforts to Protect Americans' Financial Information." It was an effort to understand the data thefts at retailers, including Target's high profile breach effecting more than 70 million customer accounts. But with no retail representation, the hearing was largely filled with "falsehoods, inaccuracies and half-truths," according to David French, senior VP, government relations at the National Retail Federation.

French helpfully counters with the NRF's list of the four biggest lies about data security, and what the truth really is.

First on his list, is that retailers are not properly incentivized to protect their data and that "assigning liability" for the breaches is critical. Of course this is false. Retailers are paying a very high price, as French points out and is evidenced in Target's losses to date from costs incurred and lost business.

"Retailers must, and do comply, with the PCI Standard, designed by financial institutions, to protect sensitive information first, before they are even able to process payments in the first place," said French. "Assigning liability is not the issue, the fundamental problem is that the current card number system is too easily monetized by thieves."

The NRF and other groups within the industry continue to call for chip and PIN implementation.
Other falsehoods imply that financial institutions' systems are better protected than retailers' and that these organizations adhere to higher standards than retailers.

And the final lie, according to French? Retailers unnecessarily store credit card information which creates more opportunities for thieves to steal data.

However in 2007, it was the NRF that argued to the card companies that merchants shouldn't be forced to keep data. The card companies insisted or else they would be required to accept chargebacks and absorb the fraud. The rules established by the payment card industry encourage retailers to keep card data, according to the NRF.

Much of this is finger pointing as Congress, financial institutions, retail organizations and card companies play the blame game. But until everyone is at the table and looking forward, not back, the problem can't honestly be addressed.

For more:
-See this NRF blog post

Related stories:
Target: Timeline of a data breach
Target's data breach is a story with long legs
Target breach: Heating vendor confirmed as hackers' entry point
Target to install chip and PIN card readers, says that only 25 registers were to blame for massive breach
The story of how Target had chip and PIN cards, but failed to keep them