Five retail trade organizations including the Food Marketing Institute, National Association of Convenience Stores, National Grocers Association, National Restaurant Association, National Retail Federation and the Retail Industry Leaders Association have written to the United States Comptroller of Currency and the Senate Banking Committee to clear up what they refer to as “misconceptions” about the relative effects of cyber-security breaches on retailers.
The letter came in response to remarks made by Comptroller of Currency Thomas J. Curry earlier this fall and to testimony before the Senate Banking Committee by OCC Senior Critical Infrastructure Officer Valerie Abend earlier this month.
The letter reads in part, “Unfortunately, Ms. Abend appears to be uninformed about the way the payment card system operates to push liability onto merchants when there are data breaches – wherever those breaches happen. It is important for policymakers to have all the facts regarding data breaches so they can make informed decisions about economic incentives and how policy should interact with currently existing incentives.”
The retail groups makes four central observations:
1) They pay a share of data breach costs.
2) The pay card re-issues costs in the aftermath of a breach.
3) Both financial institutions and retailers have suffered breaches (and financial institutions suffer from proportionally more and more costly breaches.)
4) Retailers have invested heavily in payment security through EMV, tokenization and P2P encryption, among other things.
The retailers further note the failure of the mag stripe and the fact that the switch to Chip and Sig is not sufficient. They stress that the EMV migration should be to a full Chip and PIN.
As for what they want?
“In the future, we hope that the OCC will check the facts and engage in dialogue with groups it might mistakenly be maligning – in this case our members – before submitting testimony on these topics.”