Preventing Retail Data Breaches: Defining Best Practices

The National Retail Federation recently presented Congress with a set of solutions aimed at better protecting consumers and helping businesses prevent data breaches. “We should not be satisfied with simply determining what to do after a data breach occurs,” NRF senior vice president for Government Relations David French said in a statement. “Instead, it is important to look at why such breaches occur and what the perpetrators get out of them so that we can find ways to reduce and prevent not only the breaches themselves but the follow-on harm.”

French presented the proposals during his testimony before the House Oversight and Government Reform Committee’s Subcommittee on Information Technology.

Here’s a brief overview of its solutions and goals:

  • Expanding consumer liability protection when using debit cards
  • Issuance of PIN-and-Chip cards that incorporate both computer microchips and use of a personal identification number (PIN) to authenticate a transaction
  • Adoption of end-to-end data encryption throughout the entire payments system
  • Developing open source, competitive tokenization standards to replace sensitive data with unique and unusable tokens
  • Passage of a uniform nationwide breach notification law applying to all entities that handle sensitive customer information
  • Bolstering federal law enforcement investigation and prosecution of cyber criminals.

 

All quite sensible, most of these are basic best practices that should have been broadly implemented years ago—which doesn’t make these suggestions any less valuable. We also applaud the inclusion of tokenization and Chip-and-PIN technology.

There has been some tension between the banking and retail industry around pin-and-chip, with retailers wondering whether banks and other card-issuers will fully support the estimated $20 billion to $30 billion investment anticipated to shift to new POS systems. If card issuers don’t release Chip-and-PIN cards, opting instead for Chip-only, consumer security will be negatively impacted.

The NRF’s recommendations were first proposed in an open letter to President Obama, published in advance of the White House Summit on Cybersecurity and Consumer Protection last month.

“These are proposals that we believe policy makers can work together to achieve in the near term, either through consumer and industry-supported legislation or by working with the private sector on improving security practices outside of the lawmaking process,” French said in his testimony.

In an interview with Security Info. Watch, Paul Martino, vice president and senior policy counsel at the National Retail Federation, stated that the NRF supports many of President Obama’s initiatives around cybersecurity.

“We welcome his support and effort to promote some of the legislative proposals that we have supported for a number of years. In particular, he’s supportive of cybersecurity information sharing legislation that would provide liability protections and other protections for industries to encourage greater sharing of cyber threat information among businesses and with the federal government. We think that would help our members who wish to receive that kind of threat information to better defend their networks from similar attacks.”

“The president also called for one, uniform data breach notification law, and that’s something we have also supported for a very long time. It would help both businesses and consumers to have one national standard, because there are about 51 jurisdictions right now that have separate disclosure rules, and what that does is avert time, energy, and resources away from repairing a breach and informing consumers if one happens. One uniform standard would not only speed compliance, but would make notices to consumers more concise, timely, and clear.”

During his testimony, French also reiterated NRF’s opposition to legislative efforts to impose on retailers, merchants, and other non-bank businesses and individuals, the same Gramm-Leach-Bliley Act (GLBA) data security regulations designed for banks.

“Without the cooperation of our partners in the financial system, we cannot alone affect the changes necessary to better defend and protect against cyber attacks that lead to payment card fraud,” French said. “We need to work together to do what we can to improve an aging and outdated payment system that is the principal target of cyber attacks affecting U.S. retail businesses and their customers.”

BAI-Logo

Posted in BAI Security Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *