Retailers are shirking consumer data security responsibilities

Over the last 10 years, nearly 1 billion consumer records were stolen through data breaches in the United States. So far this year, 12.8 million records have been compromised, including almost 2.5 million within the business sector, which includes retailers.

Just last week, it was reported that in the Wendy’s malware breach, the number of affected restaurants now tops 1,000—more than three times a previous estimate. Breaches like this one are commonplace. Yet while the financial industry is developing innovative ways to secure consumers’ data, retailers have resisted accountability and shirked responsibility for consumer security.

{mosads}Take chip cards. Two-thirds of all in-store credit card fraud results from counterfeit cards criminals created after extracting consumer data by physically stealing a card, obtaining consumer information online or by skimming. (Losses from skimming, which involves attaching devices to ATMs or payment terminals to copy card numbers and personal identification numbers—PINs—or salespeople using handheld readers behind the counter, average $50,000 per incident.)

Chip cards prevent counterfeit fraud. In the United Kingdom, Canada and Mexico, which embraced chip years ago, counterfeit fraud has dropped 50 to 80 percent. At U.S. retailers that have implemented chip, counterfeit fraud dropped 26 percent in just one year.

Despite these results, merchant groups are dragging their feet. Seventy percent of U.S. consumers—equaling nearly 600 million cards in circulation—have chip cards, but only 37 percent of retailers can process them.

Retailers prefer PIN, which they say is proven and “here.” This cavalier attitude costs consumers. Overall, PIN fraud has risen threefold since 2004—a record which hardly shows PIN to be the safest way to authenticate transactions.

Financial institutions recognize that no one solution is a panacea and that achieving consumer security will require a multi-tiered approach. That’s why we’re continually investing in the development of new security technologies like real-time predictive analytics, tokenization, biometrics and end-to-end encryption. Consumers recognize this too. A recent Morning Consult poll found that 75 percent of Americans want retailers to move as quickly as possible to adopt new forms of electronic payments, including chip, to help protect their personal information.

Retailers’ reliance on PIN also doesn’t prevent online fraud. E-commerce sales are exploding—rising more than 15 percent to $92.8 billion between the first quarter of 2015 and the beginning of 2016—while overall retail sales inched up just 2.2 percent. Last year, Black Friday sales at brick-and-mortar locations fell $1 billion while cyber Monday sales rose 16 percent, hitting a record $3 billion.

The only way to protect consumers from online fraud is for Congress to force retailers to adopt the national data security standards to which financial institutions already adhere—a move, of course, that retailers oppose.

Reps. Randy Neugebauer (R-Texas) and John Carney’s (D-Del.) Data Security Act also would hold merchants accountable when data is stolen under their watch. (Sens. Tom Carper (D-Del.) and Roy Blunt (R-Mo.) have similar legislation in the Senate.) Retailers will spend $15 billion this year on online marketing and $23 billion by 2020, so it seems outrageous that they won’t support a bill that would make sure their customers’ data is protected when they use the Internet to make purchases. Apparently, retailers are content to let consumers and financial institutions pay when breaches happen.

About 14,000 consumer records are exposed by data breaches in the business/retail sector each day at a time when consumers spend about $255 million per day online. Essentially every time consumers use their credit or debit cards, they run the risk that their data will be breached.

All industries should do their part to ensure consumers and their data are protected. Merchants, under the Data Security Act,  would finally have a national data security standard similar to the one the financial industry has followed since the 1999 enactment of the Gramm-Leach-Bliley Act. It’s time they got on board.

Brad Thaler serves as vice president of legislative affairs for the National Association of Federal Credit Unions (NAFCU).


The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.

Most Popular

Load more


See all Video