Retailers To Senators: Don’t Hit Us With Bank-Style Security Rules

Banking data-security regulations would be a “poor fit” for retailers and other businesses that accept payment cards, the National Retail Federation said in a letter to a group of U.S. senators, according to The Hill.

The letter comes as lawmakers are looking for ways to beef up security for payment cards after a string of highly visible data breaches. One set of proposals includes extending the authority of the Federal Trade Commission to apply bank-style regulations to any merchant who accepts credit, debit or gift cards. Right now the FTC only requires merchants to safeguard sensitive data and explain how it’s shared with other parties.

In an NRF-commissioned white paper sent with the letter, former FTC officials Joel Winston and Anne Fortney spoke out against applying the stricter bank guidelines to merchants. “The FTC considered applying the rules to retailers that accept bank credit or debit cards and declined to do so,” Winston and Fortney wrote. “We believe that determination remains equally justified today.”

The white paper also discusses what harm the bank-style security rules could have on retailers.

“While the banks covered by the guidelines are relatively homogeneous, extending the guidelines to all entities that accept payment cards would sweep in a vast array of businesses ranging from large multinational conglomerates to small operations, and could also include individuals,”Winston and Fortney highlighted in the white paper. “The threats faced by these widely diverse businesses are likely to vary widely as well, as would the sophistication and capabilities of the entities themselves for addressing the threats. A flexible approach as in the Safeguards Rule is necessary to account for those critical differences. Many of the guidelines’ provisions, which were drafted with banks in mind, likely would be unsuitable for a significant proportion of the entities that would be subject to these new requirements.”

A key problem in expanding the FTC’s role is the fact that bank regulators have continuing, interactive contact with banks to keep them in line with regulations, while the FTC is a law enforcement agency that can sue retailers only after they have violated the law.

A bigger problem is scale: There are about 6,500 FDIC-insured banks and about as many U.S. credit unions for regulators to supervise, compared with millions of merchants and other organizations and individuals that accept payment cards.

Another issue is the fact that retailers can’t dictate the level of security for payment cards — that’s controlled by card-issuing banks. “If the [bank-oriented guidelines] were made applicable to businesses that merely accept banks’ cards, they would impose security obligations on those with the least ability to implement the requirements applicable to payment card security,” the former FTC officials wrote.

Though there aren’t currently any government-mandated security requirements for card-accepting retailers, they are required to meet the Payment Card Industry Data Security Standards (PCI DSS) or be hit with higher transaction fees. That’s already more of a challenge than many large retailers can handle: 80 percent of merchants fail interim PCI DSS compliance assessments. In the case of smaller merchants and other organizations, many don’t even know the PCI security standards exist.

While the NRF wants legislators to reject anything that would extend the bank-oriented security regulations to retailers, the organization is in favor of a uniform national data-breach reporting law, the letter said.