Earlier this year, our national trade association, the Credit Union National Association warned that
Target would not be the last merchant data breach and that has unfortunately proven true. Recent
reports indicate that financial institutions discovered consumer data available for sale on the black
market, and the data was traced to a breach at Home Depot. The reports also suggest the Home Depot
breach may be larger in scope than the Target breach. This latest data security breach demonstrates yet
again the need for data security requirements for merchants.
Merchant data breaches have become a chronic issue. Why? Because data security standards are
inconsistent across the board. Simply put, credit unions and other financial institutions are subject to
high data protection standards under the Gramm-Leach-Bliley Act and merchants are not subject to
federal data protection standards. Under today’s federal law, there is no merchant accountability. That
has to change.
Further, until and unless merchants are held accountable for the damages that breaches to their
systems cause financial institutions and consumers, credit unions have little confidence that they will
be incentivized to properly secure their systems. EMV, tokenization and other technologies are critical
to the innovation of the payments system; however, Congress has a role to play in addressing the issue
of merchant data breaches by making sure all of the participants are playing by the same set of data
security rules, and that merchants who hold consumer data and allow that data to be breached, are
responsible for the costs incurred by others.
When a data breach occurs, credit unions immediately take steps to protect their members. We know
what to do because we’ve have had to do it all too often: we notify our members, make a determination
of whether to reissue debit and credit cards, increase call center staff, set up account monitoring, and
other activity. These steps are not without cost, however; and the impact of merchant data breach
related costs is far reaching.
For not-for-profit credit unions operating on already thin margins, these costs make a significant
difference in the bottom line and therefore in our ability to offer services to members.
All participants in the payment process have a shared responsibility to protect consumer data, but
the law and the incentive structure today allows merchants to abdicate that responsibility, making
Congress must act to protect consumers by taking steps to enhance data security standards for