Retailers are letting Congress know they support federal efforts to thwart cybercrime, while voicing their support of chip-based EMV smartcards combined with PIN authentication as a defense against future breaches.
The National Retail Federation sent a letter to Congress this week expressing these concerns as lawmakers review the effect of massive card-data breaches at Target and other retailers.
"We believe that the correct legislative response would be for Congress to promote and facilitate greater data and information sharing to better protect consumers and retailers from harm," says Mallory Duncan, the NRF's senior vice president and general counsel.
The NRF also hopes Congress can work to streamline breach notification laws so retailers can better focus their resources and response, Duncan says.
Mostly, the data breaches should open more eyes in the U.S. to the use of chip-and-PIN, a security measure that guards against card counterfeiting, the NRF says.
"Let's be honest, retailers and merchants will accept any reliable form of payment that customers and consumers prefer, be it cash, credit, debit, or even bitcoin," Duncan says.
"That is why we believe it is imperative that banks and other financial industries upgrade their fraud-prone magnetic-stripe cards to more secure chip-and-PIN cards," he adds.
Chip-based cards represent "one concrete and short-term step" that banks and card companies should make to better protect consumers from harm, Duncan says.
The highly publicized breaches at Target and Neiman Marcus during the 2013 holiday shopping season, with rumors of more breaches yet to be disclosed, have sparked renewed interest in data security.
NRF president Matthew Shay's letter to Speaker John Boehner expresses concern about the elaborate malware used in the Target attack and how "highly motivated criminals" are using state-of-the-art tools to attack the U.S. payments system and other facets of business and government.
Currently, retailers must adhere to a set of security rules under the Payment Card Industry data security standard, or PCI. These rules describe how companies must protect any card data they handle. Companies face fines if they are found to be out of compliance with the PCI standard when a breach occurred.
"The sophisticated cyber attack targeting consumers and retailers demonstrates that the PCI's costly compliance costs and burdens on retailers, restaurants and merchants are no match for today's threats," NRF's Duncan says. "This breach exposes how meaningless PCI really is because it allows the banks to shift liability."
Besides Capitol Hill, retailers have other options to voice their concerns.
"It would be far better if merchants and issuers got face-to-face to solve these issues, rather than bringing the debate to the Hill," says Mark Horwedel, CEO of the Merchant Advisory Group, an organization that has worked closely with the NRF in the past.
Merchants should have some new hope in the wake of U.S. Bancorp CEO Richard Davis stating this week that smartcards are only one facet of security and that banks should be looking beyond EMV technology to contemplate other options, Horwedel says.
"In light of prominent bankers speaking up on this topic, it could lead to a dialogue with retailers, and we would applaud that," Horwedel says. "We need a forum other than PCI, which has all of its rules on the merchant side, and not the issuer side."
In pushing for their voice to be heard in Congress, retailers are taking a chance that the government could get too heavy-handed in its involvement, says Brian Riley, senior research director and analyst with Boston-based CEB TowerGroup.
"This could be a classic case of be careful what you wish for because you might get it," he says.
Still, retailers can see that they don't have all of the answers when it comes to data security, Riley adds.
"Data breaches over time have not been with the banks, they've been with other players and, occasionally, with a middleman like Heartland [Payment Systems]," he says.
Heartland disclosed a large security breach in 2009. It was one of many processors targeted by hackers over the years.
Horwedel says members of Congress have already called for hearings on the breaches, making it wise for the NRF to explain its position in a letter.
The NRF says credit card fraud cost retailers and financial service partners more than $11 billion in 2012.