Retailers have enough problems these days just to maintain profits in a weak economy. But data breaches like the massive one at Target have caused the largest retail trade association to pitch Congress with recommendations on how best to stem the plague of fraud by moving to smart technologies that can reduce cybercrime, data theft and consumer fraud.
Mandatory Chip and PIN Cards
“We need PIN-authentication of cardholders regardless of the chip technology used on newly issued cards,” wrote Mallory Duncan, SVP and general counsel of the National Retail Federation (NRF), in a letter to the House Financial Services Committee’s Subcommittee on Financial Institutions and Consumer Credit.
“We also need chip cards that use open standards and allow for competition among payment networks as we move into a world of growing mobile commerce,” she added.
For years NRF has called for mandatory use of cards that have both a chip and require a PIN number. Such cards are widely used in Europe, but the card industry here has not upgraded to this technology. Instead they would prefer to issue cards that have a chip but could be used with either a PIN or signature, defeating a vital security provision.
A New Age of Cybercrime
According to the NRF, with credit and debit cards serving as a de facto currency in today’s world, cyber-savvy criminals find it more efficient to hack into computer databases to steal consumers’ names and card numbers than to rob a bank for cash.
The biggest reason card information can be stolen is the U.S. credit card industry and issuing banks still use 1960s technology that criminals can easily breach.
Retailers end up with the lion’s share of headlines about data breaches because they are names consumers know, despite the fact that a recent Verizon study shows retailers account for less than a quarter of all such incidents. Financial institutions account for one third, while U.S. government agencies experience 60 breaches per day.
The NRF also asserts that PIN and chip technology is not the only answer. In 2007 NRF asked that retailers be allowed to keep only an approval code for each transaction, with banks retaining all consumer data that could be used to commit fraud.
Seven years later, the card industry has yet to make the change, leaving sensitive consumer financial data vulnerable because retailers still must retain it to respond to customer complaints of disputed charges.
Seeking Passage of Legislation
The NRF is also seeking passage of federal laws making it easier to share information about data crimes to ensure thorough investigation and prosecution. The NRF would like to see a uniform federal data breach notification law to replace separate laws in 46 states and the District of Columbia.