The National Retail Federation urged Congress during a data security hearing on Wednesday to proceed with data breach reform in a “holistic fashion.”
“[W]e should not be satisfied with deciding what to do after a data breach occurs—who to notify and how to assign liability,” the NRF said in an official statement. “Instead, it’s important to look at why such breaches occur and what the perpetrators get out of them so that we can find ways to reduce and prevent not only the breaches themselves, but the fraudulent activity that is often the goal of these events. If breaches become less profitable to criminals then they will dedicate fewer resources to committing them, and our goals will become more achievable.”
According to a 2013 study of data breaches by Verizon, which covered 27 countries, 38 percent of breaches affected large organizations, 37 percent in financial institutions and 24 percent occurred at retailers.
The NRF said that PCI security standards have “not worked quite as well in practice” as was intended in concept.
“PCI has in critical respects over time pushed card security costs onto merchants even when other decisions might have more effectively reduced fraud—or done so at lower cost,” the NRF said. “Similarly, merchants are expected to annually demonstrate PCI compliance to the card networks, often at considerable expense, in order to benefit from a promise that the merchants would be relieved of certain fraud inherent in the payment system, which PCI is supposed to prevent. However, certification by the networks as PCI Compliant apparently has not been able to adequately contain the growing fraud, and retailers report that the ‘promise’ increasingly has been abrogated or ignored.”
The NRF advocated for the replacement of magnetic stripe technology with PIN and chip standards and EMV technology, as well as tokenization.
“Keeping sensitive data encrypted throughout the payments chain would go a long way to convincing fraudsters that the data is not worth stealing in the first place—at least, not unless they were prepared to go through the arduous task of trying to de-crypt the data which would be necessary in order to make use of it,” the NRF said.