Who’s at fault when your security is breached? It’s not just your bank

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.chicagobusiness.com/article/20150310/OPINION/150319980/data-security-dont-pin-it-all-on-banks

A recent opinion piece in Crain's by Citizens Action Illinois (“Big banks:
It's your move on data security”) misrepresents the banking industry's
efforts to ensure our nation's data security. Retail merchants are
conflating issues to avoid sharing responsibility for safeguarding their
customers' identities and account information.

They claim that chip and PIN technology—which increasingly is being
implemented by financial institutions and retail merchants, which have to
adopt this together—is a cure-all for retail data breaches. But the truth
is there is no single approach to information security that is a panacea
for credit and debit card fraud.

PINs—personal identification numbers—are a static technology, and hackers
continue to prove they can sidestep it. PINs can be stolen with skimming
devices and cameras, and they do nothing to prevent online purchases and
other kinds of “card-not-present” fraud, which is where most credit and
debit card fraud happens. When Target was breached, the retailer announced
that “strongly encrypted PIN data was removed.” Months later, hackers stole
customer accounts with PINs and signatures in the Home Depot breach.

While merchants are quick to point fingers, the fact is that every player
in the payment system—banks, retailers, and card issuers and
processors—must share responsibility and accountability for keeping
customer information safe. This obligation should not and cannot fall
solely on the banking industry.

KEEPING PRIVATE INFORMATION PRIVATE

Financial institutions invest billions of dollars to maintain the strongest
data security systems available and to train their employees on customer
privacy and security protocols. Banks are required by law to adhere to
strict customer privacy policies and rigorous data security standards. They
are subject to laws and regulations telling them how to respond and notify
customers when any data breach occurs, and they must take additional steps
to freeze or close compromised accounts, cancel and reissue cards, and
continuously monitor the accounts for suspicious activity, all while
handling customer inquiries and reimbursing their customers for virtually
all fraud losses.

Unlike the retail merchant component of the payment system, banks are
subject to regular and thorough examinations by federal and state
regulators to ensure that they comply with these laws and regulations, and
if they do not, they must pay the price in substantial sanctions and fines.

There are no standards or regulations comparable to these that require
retail merchants to secure customer information. While merchants claim they
are subject to card industry security standards, there is no government
regulator enforcing these standards or examining them for compliance. In
fact, most merchants self-certify their compliance with the payment
processors' security standards. The consumers affected by the scores of
recent merchant breaches already know this self-regulation is not working.

We agree with one thing the article's author said: “Americans face constant
threats to their personal and financial information.” To help protect your
sensitive financial information, Congress should mandate that every
business and person who collects or handles customers' financial
information should be held to the same rigorous security and privacy
standards as financial institutions. Congress also should mandate
nationwide standards for reporting breaches and notifying customers when a
breach occurs—and every party, including merchants, should be held
accountable and financially responsible for losses suffered by others as a
result of their negligence. Consumers deserve better

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!