WASHINGTON—A consortium of associations representing U.S. retailers is calling statements made by both CUNA and NAFCU “misleading and factually inaccurate points” regarding the state of cybersecurity, specifically at retailers.
But in its response, CUNA CEO Jim Nussle answered, “We’ll back off when retailers take their responsibility.” Similarly, NAFCU CEO Dan Berger responded, "We will join their partnership when retailers and merchants begin properly protecting consumers’ data and investing in the technology necessary to do so."
The letter from the retailers came on the same day CUNA produced an estimate that the Home Depot Breach had cost credit unions almost $60 million, on top of the estimated $30 million in expenses that resulted from the earlier Target breach.
The letter, sent Oct. 30 to CUNA CEO Jim Nussle and NAFCU CEO Dan Berger, charges the two groups and state-level credit union associations with perpetuating what it says are “misconceptions” regarding recent cyber-attacks and the response from both retailers and financial institutions.
'Misconceptions' Identified
Among those misconceptions, according to the retailers:
* Data breaches only – or disproportionately – affect retail merchants. “We know that this can be easily disproved by both empirical evidence and recent high-profile occurrences. When the 2014 Verizon Data Breach Investigations Report analyzed 1,367 data-loss incidents last year, they found that 465 (roughly 34%) took place at financial institutions, while fewer than 150 (less than 11%) affected retailers,” the letter states. “Furthermore, the recent breach at J.P. Morgan Chase & Co. – one of the largest financial institutions in the world – is reported to have compromised the information of some 76 million households and 7 million businesses.” And, as the USA Today reported on its front page October 20, “Federal officials warned companies Monday that hackers have stolen more than 500 million financial records over the past 12 months, essentially breaking into banks without ever entering a building.”
* Retailers do not share the costs incurred by card fraud. “A 2013 study by the Federal Reserve looked at fraud instances associated with use of debit cards and found that retailers do share the costs incurred as a result of card fraud,” the retailers stated. “In fact, costs were shown to be borne almost equally among retailers and card-issuing institutions…And merchants pay the cost of card fraud in advance, through swipe fees, before fraud is ever incurred. In fact, even the Federal Reserve’s debit card regulations are geared to provide that the average issuer has one hundred percent of its debit fraud losses covered by swipe fees. Moreover, even after absorbing substantial fraud losses, merchants are subject to massive fines by Visa and MasterCard networks and hundreds of millions of dollars in restitution through private litigation for cybersecurity breaches.”
* Retailers do not contribute to the costs of issuing new cards to consumers after a data breach. “Merchants do, in fact, reimburse card issuers for both card reissuance and actual fraud losses following a breach based on many factors, including: the number of cards requiring reissuance, the incremental fraud associated with each individual card, and the age of the card and when it was due for reissuance, regardless of a breach.”
The merchants argued that agreements with Visa and MasterCard show statements being made by the credit union trade associations are belied by the card associations’ legal agreements.
“To support our insistence that CUNA and NAFCU stop repeating such false statements as ‘merchants bear NONE of the costs to issue...new credit and debit cards,’ ‘merchants pay nothing when they lose my personal data, [and so] they have no reason to make their data protection standards more stringent,’ and ‘when the merchants cause a data breach, they just pass along all the costs...to my credit union,’ we bring to your attention the specific sections of MasterCard’s operating rules where these sections may be found: 6.4.1 ADC Operational Reimbursement Factors, MasterCard Account Data Compromise User Guide, July 22, 2012,” the merchants’ letter states. “Of course, Visa maintains similar schedules to which your credit unions have contractually agreed to as well.”
The retailers said other misconceptions being spread by the CU trades include “retail merchants leave the burden of customer security exclusively up to credit unions and banks,” the retailers wrote.
Says Credit Unions Are Lagging
The retailer associations stated that their member merchants are on “track to complete an enormous investment in order to be able to accept chip cards next year. Yet, there is still little promise that card issuers will issue such cards,” and said financial institutions are increasing risks by not taking all appropriate measures.
“Moreover, card issuers in the United States intend to begin issuing chip cards without requiring PINs, a feature that is proven to reduce fraud by 700% on debit cards alone,” the retailers stated. “If this occurs, it will result in an inexcusable lapse which threatens to make billions of dollars in merchant upgrades ineffective. It is difficult to ignore the benefits of PINs for enhanced security when credit unions themselves require them for withdrawals at their own ATMs.”
The retailers group, which includes the Retail Industry Leaders Association, the National Retail Federation, the Food Marketing Institute, the National Association of Convenience Stores, the National Grocers Association, and the Merchant Advisory Group, called on CUNA and NAFCU to stop “engaging in finger-pointing,” and instead help put in place a payments ecosystem that is effective and secure.
“The bottom line is that consumers and accountholders deserve solutions, not posturing and misinformation,” the retailers wrote. “Unfortunately, while retailers, restaurants, convenience stores, hotels, national banks, card networks and community banks have joined the Partnership, one constituency has still not seen fit to participate: credit unions. It is past time we started working together for the greater good of America’s consumers.”
In response, Nussle issued a statement saying, “As we have documented in two surveys this year, data breaches at retailers have cost credit unions and their members a minimum of $90 million – and those are the costs only for breaches at Target, for $30 million, and Home Depot, at nearly $60 million. With the many other breaches that have also occurred – at Staples, Neiman-Marcus and others -- certainly credit unions have incurred millions more in costs this year. In our most recent survey, released just today, credit unions told us that – to date – they have received no reimbursements for the Target breach, now more than 10 months after the breach occurred. In short, we’ll back off highlighting the costs of data breaches on credit unions when merchants step up and take responsibility, adopt the same data standards, and stop making consumers vulnerable.”
Both CUNA and NAFCU continue to lobby for legislation that would set national data security and breach notification standards. NAFCU noted in its response that it is a member of the Payments Security Task Force, which includes payments networks, banks, credit unions, acquirers, retailers POS device manufacturers and others, and which is focused on payments system security.