Retailers Should Be Held to Stricter Standards on Data Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.americanbanker.com/bankthink/retailers-should-be-held-to-stricter-standards-on-data-security-1069613-1.html

The lazy, hazy days of summer appear to have no effect on cybercriminals.
If anything, they seem to be emboldened to conduct more attacks. The
continued absence of national data securitystandards for retailers has
given cybercriminals free rein to access consumer data, and Americans and
their financial institutions are paying the price.

The recent massive malware attack called Backoff affected an estimated
1,000 businesses, according to an alert issued on Aug. 22 by the Department
of Homeland Security and U.S. Secret Service. The malware attacks’ remote
desktop applications that are used by point-of-sale systems allow cyber
thieves to acquire consumers’ credit card numbers and other personal
information.

That's far from the only cyberattack this August. United Parcel Service on
Aug. 20 confirmed a data security breach that had apparently gone
undetected since January, ultimately impacting over 100,000 consumer
transactions at 51 UPS franchises. And grocery chain owner Supervalu Inc.
on Aug. 14 alerted its customers to a potential data breach on its
point-of-sale network sometime between June 22 and July 17, affecting 180
stores.

Since most of the major data breaches have been engineered through malware,
chip-and-pin technology alone would not have prevented them. In order to
make customer transactions safer, Congress should hold retailers and any
other businessesresponsible for the storage of consumer data subject to
standards similar to those imposed on financial institutions under the
Gramm-Leach-Bliley Act. Under Gramm-Leach-Bliley, credit unions and other
financial institutions are required to meet certain criteria for
safekeeping consumers' personal information.

In order to relieve financial institutions saddled with the costs of
replacing compromised credit cards through no fault of their own, Congress
should require merchants to pay for the costs of breaches that occur on
their end — particularly when negligence may have led to the attack. The
Target data breach alone will cause financial institutions to lose $480
million in card replacement costs and other expenses, according to
estimates by the National Association of Federal Credit Unions.

Merchants should also be required to post their data security policies at
the point of sale if they take sensitive financial data and to notify
account servicers or owners — including financial institutions — whenever
any personally identifiable information has been collected. Such a
disclosure requirement would come at little or no cost to the merchant, but
would allow consumers to be better educated about what merchants may be
doing with their personal information and the risks to which they are
exposed.

To help prevent future security issues, breached merchants or retailers
should be required to demonstrate that they have taken all necessary
precautions to guard data. And Congress should enforce data retention
prohibitions in existing agreements between merchants and card companies,
as well as establish statutory standards prohibiting retailers from
retaining payment card information. Many retailers today store sensitive
personal data in their systems, leaving that information vulnerable to
breaches.

For the sake of America's economy and consumers, Congress must take steps
to protect consumer financial information from cybercriminals. Retailers
must be held to the same strict standards of data security and breach
notification to which all financial institutions must adhere.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!