Credit Union Group Hits Back Against Retailer Claims

The National Association of Federal Credit Unions is fighting back against attempts by the National Retail Federation to put responsibility for ensuring customer data security in the hands of financial institutions.

Data security has been in the news recently, following a series of data breach incidents in which millions of customer debit cards were compromised at several retailers.

The National Retail Federation – which represents merchants who handle card payments – has called for the widespread adoption of new technology that places a microchip into the debit and credit cards used by consumers. These chips would replace traditional magnetic strips on cards, and promise to add a greater measure of data security.

Recently, the retailer group asked that Personal Identification Numbers (PINs) be used in addition to the chips – saying that this so-called “Chip-and-PIN” approach would offer the greatest level of security against the types of breaches that occurred during the 2013 holiday shopping season.

But financial institutions – including credit unions — are pushing back against a campaign by the NRF to push Chip-and-PIN. They say that retailers need to take their fair share of responsibility for protecting customer data, and that what’s really needed is a national policy on data security – not just a technology approach.

In a statement, NAFCU Vice President of Legislative Affairs Brad Thaler suggested that the retailers were trying to push the bulk of responsibility for improving data security – and paying the costs association with data breaches — onto financial institutions. “Retailers should be part of the solution to address data breaches,” Thaler said. “Unfortunately, they continue to cast blame on financial institutions by their selective and misleading use of data.”

Thaler cited a 2013 study by Verizon, showing that the retail industry was the #1 target in incidents resulting from network intrusions. He said that nearly 22% of network intrusions occurring at retailers while the finance sector accounted for just over 8% of the intrusions.

“Despite their claims to the contrary, the retailers continue to leave consumers and financial institutions picking up their tab when they (the retailers) are breached,” Thaler said.

Thaler called for retailers to be held to the same regulatory standards as credit unions and other financial institutions, who have to comply with federal standards for data security under the 1999 Graham-Leach-Bliley Act.

NAFCU isn’t necessarily against the adoption of new technologies to safeguard customer data, but the group wants a comprehensive, holistic approach that holds all parties – financial institutions and retailers alike – responsible for maintaining security.

“We agree that it is important to work together to prevent data breaches and protect the American consumer,” Thaler said. “We just wish the retailers would take more responsibility and pick up their part of the bill when they are at fault.”

Most consumers would agree that all parties need to up their games to keep up with increasingly sophisticated criminal groups who are out to steal customer data. Hopefully this war of words will result in some much-needed fixes.