Bankers and retailers are resuming their fight over responsibility for losses from cybertheft as Congress weighs responses to a security breach at Target Corp. (TGT) that exposed data from tens of millions of accounts.
The two sides, antagonists in other disputes over card payments, have already drawn up lines of attack for a series of hearings in Congress that begin this week. Bankers want retailers to cover more of the cost of breaches. Retailers say bankers need to adopt more-secure card technology. Lawmakers must decide whether to act to require tighter security or swifter disclosures.
“This pits powerful banks against powerful merchants,” Jaret Seiberg, a policy analyst at Guggenheim Securities LLC’s Washington Research Group, said in an interview. “Everyone will have a headache, there will be so much noise, but in the end I doubt Congress is going to intervene.”
At stake is about $40 billion of revenue earned by card issuers including JPMorgan Chase & Co. (JPM), as well as the profits of Target and other retailers affected by the breaches. More than $3 trillion in U.S. customer transactions take place each year through the point-of-sale systems infiltrated by the hackers, according to David Robertson, publisher of the Nilson Report, an industry newsletter based in Carpinteria, California.
“The threats posed by cybersecurity attacks represent some of the gravest risk to our industry, the financial services industry, as well as the economy more broadly,” Tim Pawlenty, president of the Financial Services Roundtable, which represents large banks and payment networks, said in an interview. “The laws people take to these issues need to be updated.”
Names as well as home and e-mail addresses for as many as 70 million Target customers were taken, the Minneapolis-based company said in a Jan. 10 statement. Target previously said credit- and debit-card data of 40 million accounts were stolen. It’s likely that the two groups overlap, though it’s unclear to what extent, Molly Snyder, a spokeswoman, said in an interview.
Proposals before Congress include setting national standards for database security and notifying customers when breaches occur. Senators Tom Carper, a Delaware Democrat, and Patrick Leahy, a Vermont Democrat, have re-introduced previous data security bills. Senate Commerce Chairman Jay Rockefeller, a West Virginia Democrat, offered a new measure on Jan. 30 for customer notifications.
U.S. merchants typically pay fees totaling about 2 percent of the purchase price for credit-card transactions. These so-called swipe fees, also known as interchange, help card-issuing banks such as JPMorgan and Bank of America Corp. fund rewards programs and cover fraud costs.
Lenders and retailers have sparred for years over swipe fees, which merchants have said are too high. In 2011, retailers won one round when lawmakers authorized a cap on fees for debit-card transactions, which has reduced banks’ annual debit-interchange revenue by 50 percent to about $8 billion.
Now they are fighting over who should bear the costs of repairing the damage and adopting more secure technology.
“It’s clear that banks are already absorbing at least two-thirds of the cost, if not more, in order to protect their customers for a breach they had nothing to do with,” said Ken Clayton, executive vice president of legislative affairs and chief counsel for the American Bankers Association. “They are rightfully upset about that.”
American Express Co. (AXP), Visa Inc. (V) and MasterCard Inc. (MA) have given most U.S. merchants and issuers until October 2015 to adopt a technology known as EMV or assume liability for counterfeit card transactions. EMV -- named for founders EuroPay International, MasterCard and Visa -- has become a standard in Europe and much of the rest of the world. They are also pushing retailers to use a process known as “tokenization,” where sensitive account information is replaced with proxy data known as a digital “token.”
For their part, retailers and consumer advocates accuse banks of clinging to obsolete magnetic-stripe technology that has put merchants and their shoppers at risk.
“I need to hear from the banks that it’s not only the retailers’ fault; the retailers are forced to use obsolete technology,” said Edmund Mierzwinski, consumer program director for the U.S. Public Interest Research Group, which supports the retailers. “I want to see some piety or some apology from the banks that it’s partly their fault.”
Retailers and bankers end up paying roughly equal amounts in the wake of data breaches, “and even that is problematic,” Mallory Duncan, general counsel to the National Retail Federation, said in an interview. “This fraud is being caused by the cards they issue: They are issuing fraud-prone cards.” Members of his Washington-based trade group include Saks Inc. and the Container Store Group Inc.
Existing federal law on data breaches leans harder on banks than retailers. The 1999 Gramm-Leach Bliley Act requires financial institutions to notify customers of data breaches. No such federal notification requirement exists for retailers, who instead follow varying notification laws in 46 states.
Standards from Congress “would be useful,” Maureen Ohlhausen, a Republican commissioner on the Federal Trade Commission, said in an interview.
“If Congress could find a single preemptive standard, that would be a good step forward for merchants and also for customers,” David French, senior vice president of government relations at the National Retail Federation, said in an interview.
Congress will hear the arguments publicly in three hearings set that begin Feb. 3 when the Senate Banking Committee panel hears testimony from trade groups for both sides. A day later, Target’s executive vice president and chief financial officer, John Mulligan, will take questions from the Senate Judiciary Committee along with law enforcement officials including the U.S. Secret Service. A third hearing, in the House Commerce Committee, follows on Feb. 5.
Camden Fine, president of the Independent Community Bankers of America, which represents smaller institutions, said his members pay a disproportionately high price for breaches compared to larger competitors.
“There needs to be legislation,” Fine said. “The only way to work it out on our own is to sue Target and try to get our money back. What is the incentive for the retailers to work anything out with the banks right now?”
Any legislation this year would need to be enacted by Congress’ summer recess, since after that lawmakers will focus on November elections. Cybersecurity measures have also had trouble advancing since former National Security Agency contractor Edward Snowden disclosed secret surveillance operations.
Fine said for those reasons he sees a less than 50 percent chance of legislation moving this year.
“What would change that would be more revelations about the Target breach that we don’t know about yet or another large retailer like Wal-Mart was breached,” Fine said. “I do however think in the next Congress there’s a good chance that we can get legislation, because there will be more breaches.”