Credit Card Data Protection's Weakest Link
Efforts to protect consumer data from hackers are only as strong as their weakest link. If credit-card numbers get stolen, consumers are vulnerable to fraud, and banks and credit-card companies are on the hook for reissuing cards and making other remedies. This accountability forces these financial institutions to make up-front investments that help protect against breaches.
Merchants should do their part too. But some don’t — largely because they are not held to account when their data is compromised. That is a problem for consumers who expect their credit-card information to be protected.
Currently, some merchants keep customer transaction data for much longer than necessary (mostly using consumer information for marketing reasons), and merchants are not required to have firewalls on their servers, to use data encryption, or to have virus and malware protection to block hackers. No matter how good financial institutions are in protecting your card, many merchants leave your data vulnerable to online thieves.
While banks and credit unions are responsible for paying the costs for reissuing new credit cards when a breach occurs, and while they must give notification of breaches to merchant clients, they are not allowed to identify who was responsible for the breach. This means that if a restaurant is responsible for a breach, banks and credit unions are effectively taking the blame and incurring the cost for the lost data. These financial institutions can’t even say that the breach was due to an “unnamed merchant.”
In effect, merchants can be the source of breaches and not held accountable for them. That gives little motivation for retailers to protect your data. If merchants were identified, they would be much more proactive and willing to incorporate some basic standards for protecting consumer data.
That may happen. Sens. Tom Carper (D., Del.) and Roy Blunt (R., Mo.) have proposed S. 961, the Data Security Act of 2015. The bill would make merchants subject to information-security requirements, like financial institutions are today, and require security planning and standards commensurate with the size and complexity of the business. Reps. Randy Neugebauer (R., Texas) and John Carney (D., Del.) have introduced H.R. 2205 with similar provisions.
As much as I think we want to avoid imposing regulatory costs on merchants, they need to have some basic standards for protecting consumer data. Merchants' payments of credit-card fees do not entitle them to avoid the costs caused by their inaction. In fact, the argument that these costs should not be borne by small businesses does not hold water, when you consider that 93 percent of credit unions are classified as small businesses as well, yet they manage to maintain safeguards similar to those proposed by Congress.
Preventing online breaches will be an endless fight to stay ahead of hackers, but we need to make what improvements we can today. H.R. 2205 and S. 961 will strengthen the weakest links and hold merchants accountable for protecting their clients, rather than pushing the costs and consequences to consumers.
Steve Pociask is president of the American Consumer Institute, a nonprofit educational and research organization.