The National Retail Federation (NRF) has gone on the record as opposing any legislation that would force retailers to follow data security rules created for the banking industry. Instead, it has asked Congress to pass a uniform national data breach law.
As we reported earlier this year, the House Commerce, Manufacturing, and Trade Subcommittee opened hearings in January on national data breach legislation following a string of highly visible payment card breach incidences, particularly at the retail level. One proposal the subcommittee is considering is an extension of Federal Trade Commission’s (FTC) authority to apply bank-style regulations to any merchant who accepts credit, debit or gift cards. Currently, the FTC only requires merchants to safeguard sensitive payment card data and explain how it’s shared with other parties.
As reported on the PYMNTS.com® website, the NRF has asked legislators to reject such a move in favor of a uniform national data breach reporting law. The retail advocacy organization outlines its position that applying bank-style security to retailers would be harmful in a whitepaper written by two former FTC officials and delivered to Capitol Hill.
“While the banks covered by the guidelines are relatively homogeneous, extending the guidelines to all entities that accept payment cards would sweep in a vast array of businesses ranging from large multinational conglomerates to small operations, and could also include individuals,” note Joel Winston and Anne Fortney in the whitepaper. “The threats faced by these widely diverse businesses are likely to vary widely as well, as would the sophistication and capabilities of the entities themselves for addressing the threats . . . Many of the guidelines’ provisions, which were drafted with banks in mind, likely would be unsuitable for a significant proportion of the entities that would be subject to these new requirements.”
The NRF also argues that while there are about 13,000 FDIC-insured banks and credit unions in this country for regulators to supervise, there are millions of businesses, organizations and individuals that accept payment cards. Additionally, it says that card-issuing banks — not retailers — dictate the level of security for payment cards. “If the [bank-oriented guidelines] were made applicable to businesses that merely accept banks’ cards, they would impose security obligations on those with the least ability to implement the requirements applicable to payment card security,” the former FTC officials wrote.
While there are presently no security requirements for card-accepting retailers mandated by the federal government, the vast majority of states have data breach notification laws on the books that dictate who must comply with the law as well as other particulars. Additionally, all parties to payment processing are required to meet the Payment Card Industry Data Security Standards (PCI DSS), known as being PCI compliant. However, according to Verizon’s 2015 PCI Compliance Report, 80 percent of all businesses fail their interim PCI compliance assessments, and only 29 percent of companies are still fully PCI DSS-compliant less than a year after being validated.
For now, achieving and maintaining PCI compliance is the best way for retailers to protect themselves and their customers from hackers and identity thieves. TransFirst® promotes and supports PCI compliance with a program that provides multiple services to help merchants achieve this industry standard and a Data Breach Security Program designed to help merchants meet the expenses resulting from a suspected or actual breach of payment card data.
We will continue to follow the Congressional hearings on national data breach legislation and report back on developments in this space.
Trademarks are the property of their respective owners and are not necessarily affiliated with TransFirst.