Retailers including Target and Neiman Marcus made the rounds on Capitol Hill this week, testifying at three days’ worth of hearings with the dual mission of apologizing for recent large-scale data breaches and discouraging any new regulatory legislation.
But while Republicans would likely try to block any new laws, the retail industry may have lost another key ally: some representatives from the financial sector who now say they would have no problem with new regulatory proposals.
The recent breaches have exposed a rift between retailers and banks that has been looming for years.
While the banks say that lax data protection on the part of retailers puts consumers at risk, retail groups say the greatest threat comes from the fact that the U.S. financial sector hasn’t adopted the more secure bank card system that Western European nations began implementing a decade ago.
According to retailers, breaches would occur less often and have less impact if U.S. banks replaced current payment cards, which store data on magnetic strips and use customers’ signatures for verification, with cards that store data on embedded microchips and use personal identification numbers for verification. If those chip-and-PIN cards were in place, it “would have rendered the account numbers that were taken far less useful” in the Neiman Marcus breach, Chief Information Officer Michael Kingston told lawmakers Tuesday.
U.S. banks agree that a shift in card standards would improve security, but note that it would cost billions of dollars, both for them and for retailers that would have to replace card readers. They would prefer cards that have embedded microchips but continue to use signature verification.
Data security has increasingly become a concern for Congress, not only because of the recent breaches — which affected as many as 70 million customers at Target alone — but also because of other high-profile cases at companies including Sony, TJX Corp. and Coca-Cola. The nonprofit Privacy Rights Clearinghouse calculates that over the past nine years, businesses including financial institutions and retail outlets have reported 1,571 breaches involving 470 million customer financial records.
‘On Top of It’
Prior to his Monday appearance before the Senate Banking Subcommittee on National Security and International Trade and Finance, Troy Leach, chief technology officer for the PCI Security Standards Council, a payment card industry group, said the challenge for the private sector this week was to “show that industry’s on top of it.”
Actually convincing members of that might be difficult, though. While lawmakers from both sides of the aisle said they didn’t want to single out particular retailers for criticism, several influential Democrats said they want legislative action on this long-standing issue.