In "Broken Payment System Guarantees Another Breach like Target's" (BankThink, Jan. 9), merchant attorney Doug Kantor decries what he calls an "almost universal lack of understanding of the essential issues at hand" in the breach. Kantor proceeds to blame the breach not on the criminal enterprise that infiltrated Target's systems, but rather on the card networks, then lodges an unrelated complaint that "we pay the highest swipe fees in the industrialized world."
That purported "universal lack of understanding" narrowed significantly on Jan. 10 when Target announced that 70 million Target customer emails, mailing addresses, and phone numbers which of course have nothing to do with payments were also exposed in last month's data breach.
If you're having trouble finding the link between interchange and the Target breach, you're in good company. There is no connection between interchange (in which Kantor is deeply involved, as he is the lawyer for merchants in their interchange lawsuits against payments companies) and the breach at Target. But even putting aside this non sequitur, Kantor is erroneous to suggest the payment system is broken because merchants lack control over data security.
Security is clearly a shared responsibility across the payment ecosystem. The payments industry introduced a self-regulatory data security framework in 2004 called the Payment Card Industry Data Security Standard to respond to the growth in merchant data compromises. While the PCI standard continues to evolve, it has, without a doubt, made the payment ecosystem more secure as evidenced by a stable global fraud rate around 0.06% all while payment volume grows (card payments totaled $4.5 trillion in the U.S. last year, according to the Federal Reserve) and consumers use new technologies like mobile payments.
The PCI standard is managed by a coalition of all the payment card brands and participating organizations, through the PCI Security Standards Council. Merchants have significant influence over PCI and make up more than 40% of the member organizations that provide ongoing feedback on these standards. While the cost to comply with this industry-developed standard can be significant for large organizations, the investment in a safe, secure and compliant system to protect consumers is critical and pales in comparison to the cost of a breach. According to the Ponemon Institute, the cost of managing a data breach is 2.65 times the cost of implementing and complying with PCI standards.
Let's also address Kantor's false premise that the payment card companies have no incentive to enhance security because they push the costs to merchants. In most cases, financial institutions must pay for card reissuance and provide additional customer service resources to reassure consumers who have been affected by a data breach at a merchant. And the payment networks and retailers alike suffer greatly if consumers don't trust electronic payments as secure.
Most importantly, consumers are protected against liability for fraud because payments companies, not merchants, go above and beyond the protections required by law to take responsibility for protecting consumers against loss on a credit or debit card meaning that in the first instance, it is the financial institutions that must suffer the fraud losses. The financial services industry is constantly investing in technology to monitor for fraud in real-time. We've all had that call asking us to verify a purchase, which is the result of the financial services industry investing in technology that is essentially a community watch for fraud. This is why consumers prefer electronic payments and carry more than 1 billion debit and credit cards in their wallets. In short, for retailers, consumer confidence in our payments system is vital, and regardless of where blame lies for the Target breach, we should all be working together to get consumers back into Target and all other retailers to spend and buy.
We should also work collaboratively to deploy innovative financial tools to prevent future breaches and further reassure consumers. In addition to the ongoing deployment of the EMV chip-and-PIN standard, which will take away an incentive for theft of card data, new tokenization and end-to-end encryption products and services are coming to market that will assist merchants in securing consumer data. My association represents more than 500 payments and technology companies strong evidence of how robustly competitive (and innovative) our industry has become, resulting in a plethora of technologies that protect against criminal activity. But any such adoption or technology sea change will require the support of all parties involved financial institutions and merchants alike. This means our security fate is forever intertwined. We'd all be better served by focusing on facts and solutions rather than hyperbole and legally motivated finger pointing.
Jason Oxman is the CEO of the Electronic Transactions Association.