On Thursday, luxury retailer Neiman Marcus announced that hackers had lifted the credit card information of as many as 1.1 million customers during four months in 2013. This news comes closely after Target’s announcement that up to 110 million of its customers were affected by a data breach over the holidays. These data heists underscore the need for updating the payments system to protect consumers from cybercriminals. That’s something bankers and retailers, who share the responsibility for the system’s integrity, should work together to accomplish.
Retailers and bankers have been sparring for a long time over who should pay for the losses when credit- and debit-card fraud occurs. Retailers balk at paying “interchange” fees—payments to banks for covering the cost, as well as the risk, of handling card transactions—which go in part to antifraud efforts. They are also reluctant to pay for new card-reading systems that would bolster consumer safety. Banks, in turn, are left with the responsibility to make customers whole—even when the institution had no part in the fraud.
The fracas between banks and retailers is a distraction from real, daily threats to the safety of the payments system. Neiman Marcus and Target appear to be victims of malware software that steals information before it ever leaves the companies. The breaches offer a timely reminder that cybercriminals are trying every day to steal customers’ data—and money. Combating this requires daily vigilance.
The existing payments system is strong, functional and provides extraordinary benefits to users. Customers can make or receive a payment anywhere in the world, at any time of day or night. Even after a significant breach at a retailer, customers continue to use the electronic-payments system. No data disaster has discouraged Americans from swiping their credit and debit cards, racking up $3 trillion in charges annually. And for good reason: Customers can charge confidently because their banks protect them from losses by reissuing cards and absorbing fraud losses. Banks make restitution for fraudulent charges, even if the bank isn’t responsible for the leaked data.
But banks can’t be the only backstop for fraud. Retailers must share the responsibility. It’s a bit ironic that retailers continue to oppose paying interchange fees to banks that help fund innovation, maintenance and security in the electronic payments system they rely upon every day. Sharing responsibility means that retailers should share the cost when systems are breached.
For example, banks and retailers need to work together to complete the transition to a chip-based technology called EMV. Credit and debit cards traditionally use magnetic stripes, which are more easily duplicated by crooks. EMV embeds cards with a micro computer chip, making it harder to commit the same types of fraud seen with magnetic stripes. Counterfeit card fraud is down significantly in Europe with the implementation of this technology. But making the switch by 2015—as already put in motion by the major credit card companies—requires merchants and others to significantly upgrade their own card-reading equipment.
These costs are not insignificant, which has generated resistance from some segments of the retailing industry. But retailers should consider the long-term protection benefits of sharing these costs.
Sophisticated criminals will continue to devise new schemes to undermine whatever payment system is in place. That makes common action in the future all the more important, as today’s fixes won’t fight tomorrow’s criminals. But bankers and retailers share a common priority in protecting their customers while offering the convenience of electronic payments—and so retailers should join us in fighting fraud.