In a recent blog post, Douglas Kantor laid out a tortured explanation for what he believes happens during data breaches. However, when trying to understand the payments system, the simplest answer is often the right one.
First, no one knows the precise cause of the breach at Target. The company made statements regarding responsibility following the incident, but how the intrusion occurred is still a mystery. What is known, however, is that the breach has left tens of millions of customers with their personal information exposed.
Across the credit union industry, our immediate response has been to protect our members. We have reissued their cards and increased our monitoring activity on their accounts. We didn't wait to assess how the breach occurred or whom we could blame; we acted swiftly to protect our members. While these efforts brought significant expenses to credit unions, they are also the reasons our members remain confident in their credit unions and payment system.
In his recent post, Mr. Kantor uses the settling dust from the recent Target attack to mask a lack of evidence supporting his points. He pointed to payment networks and the Durbin amendment, and while those networks certainly facilitate billions of global transactions at high speeds, at their core, they're simply a cost-sharing mechanism supported by interchange, interest, and fees. These three revenue streams support not just the system, but its security as well. Sen. Durbin's amendment placed price controls on interchange, which changed that system and hamstrung the credit unions' and banks' resources for security. Financial institutions of all sizes, big and small, have experienced a decrease in debit interchange revenue per transaction in the wake of the Durbin amendment.
Big box retailers assert that they should retain all of the benefits of electronic payments without taking on any of the responsibility for security, and instead, pass all the costs onto the consumers, taxpayers and financial institutions. They tout chip and PIN technology and PCI standards — which don't address many of the issues surrounding the Target breach — and they don't provide a suggestion as to how they might have been used to increase security.
In fact, these tools could not have done anything to alter the theft of consumer marketing data. Chip and PIN, to be truly effective, requires that retailers encrypt all data along the point of sale chain, decrypting it only outside of the merchant environment. Are retailers really willing to undertake this expense and responsibility when all of their waking efforts are devoted to socializing their legitimate costs? As we see increasing announcements about the varying types of data that were stolen, this notion that retailers carry no responsibility for protect consumers presents a dangerous and cyclopean view. Cyber security is simply not a one-dimensional issue.
Electronic payments began with the retail industry. Retailers sold their products to organizations that could run the system more efficiently and at a lower cost, avoiding the risk and liability of payment cards. If merchants want to issue their own cards today and develop their own networks, they can. And yet they choose not to. It seems like a clear question, but if issuing cards is such a rewarding business — especially under the terms that retailers have enacted — why aren't they in the field themselves?
Protecting consumers is our shared responsibility. Everyone, merchants included, must do their part. Electronic payments in the United States are part of a sophisticated system that handles millions of transactions worth billions of dollars every day. When a data breach occurs, the system protects the consumers. But for the system to continue functioning when these breaches occur, all the participants of the system have to meet their responsibilities, take care of American consumers and save the finger pointing for another day. It's time for the merchants to take responsibility.
Bill Cheney is the president and CEO of the Washington, DC.-based Credit Union National Association.