Congress is an intentionally deliberative body. It was structured by our founders to ensure collective participation in shaping government policy, and sometimes that allows certain factions to disrupt the legislative process purely for their own self-interest. Such is the case with the retail industry sidelining the debate over data security by resuscitating tired and largely settled complaints over the transition to EMV chip technology.
As ICBA recently testified before the House Small Business Committee, community banks are in a good position to help small businesses make the switch to EMV technology. The transition itself has been underway since 2011. And the Oct. 1 liability shift has come and gone with banks and merchants diligently moving toward implementing EMV.
But rather than entering into a substantive dialogue about the limitations of chip technology and collaborating on further improving consumer security in an era of data breaches and cyber-threats, retail industry lobbyists have instead fixated on EMV quibbles and attempted to re-litigate the failed Durbin Amendment debit interchange price controls. To avoid the public spotlight on their own costly security lapses, retailers are serving red herring.
Don’t bite. Here are the facts: EMV is a positive step for consumers, but it is simply not a panacea for payment card fraud. While counterfeit card fraud will be successfully mitigated when a critical mass of card issuers and merchants migrate to EMV, fraudsters will shift to other fraud, such as online card fraud. The financial industry is, however, pioneering multiple layers of security technologies, such as end-to-end encryption and tokenization, to protect cardholder information in transit and online transactions. Meanwhile, Congress can take action now—I mean right now—to address the scourge of massive retailer data breaches affecting consumers and the broader economy.
The Data Security Act (H.R. 2205), introduced by Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.), would implement uniform national data-security standards in place of the current patchwork of state laws. This national standard for all entities that handle sensitive financial data—including merchants—would require robust data-security processes while at the same time being scalable and flexible to the size and risk profile of covered entities. In other words, the corner mom-and-pop deli won’t have the same level of scrutiny as multichannel retailers with massive databases of consumer information, like Wal-Mart, Target or Home Depot. But consumers themselves will be better protected than ever before.
Lawmaking is a justly deliberative process, but it should not be diverted by misleading and disingenuous arguments. If merchants do not want to meet the same kinds of security standards that have worked well for financial institutions, they should explain why they should not have to. But let’s not stall Congress with red herring distractions when, faced with rampant cyber-crime and data breaches, we have much bigger fish to fry.