Data security breaches have become all too common in our country. Some breaches are due to honest mistakes, but some are caused by careless retailers with little experience in managing sensitive data. When merchants irresponsibly fail to maintain security, they put consumers at risk and add to the growing problem of identity theft. Thankfully for consumers, banks across the nation are spending millions of dollars to protect them from data breaches.
The most recent examples are the data breaches at TJX and Stop & Shop. In one instance a retailer was keeping information it wasn’t supposed to, failed to safeguard it, and then had its computer system hacked. The other breach involved illegal tampering with a retailer’s scanning equipment. These breaches cost the retailers nothing, but they have cost banks millions of dollars as they moved to quickly protect their customers.
Under the rules of Visa and MasterCard, merchants are not permitted to capture and hold sensitive consumer financial information. There is a reason for that. Unlike banks, retailers are generally ill-equipped to safely store such information. By law, banks must have comprehensive data safeguard measures, and they are regularly examined to ensure their effectiveness. No such requirement exists for retailers. Yet all too often retailers such as TJX are capturing customer information and failing to protect it. The result is that millions of consumers are left susceptible to fraud.
Today, retailers are not required to do anything to protect the consumers they place at risk, and they bear virtually none of the costs that banks are incurring to clean up the retailers’ breach. As community bankers, whenever we are notified that there is a breach that affects our customers, we act quickly to close vulnerable accounts and reissue cards to our affected customers. Many of us are doing so at great cost to our institutions, and we receive little to no compensation from those at fault.
A recent survey on data breaches by America's Community Bankers found that the vast majority of our member banks have been affected, with 72 percent of the respondents having to reissue cards three times or more in the past two years. It costs us $10 to $15 to replace just one card. With the recent TJX breach affecting as many as 40 million cards, well over 300,000 cards have had to be replaced so far. At even the low end of the cost estimate, this means that banks have had to spend over $3 million in card replacement costs alone. And this does not include the costs associated with fraudulent charges, for which consumers are not responsible. TJX has had to bear none of these costs. The banks bore them all.
Community banks are willing to do whatever it takes to protect our customers from fraud. One key step is changing the rules. We are calling on Visa and MasterCard to start enforcing their own data security rules for merchants. It is also time for Congress to pass legislation to force those who are responsible for a data breach to shoulder the costs to protect their customers.
This is just common sense. Those who are responsible for a breach should bear the costs of fixing it. Such a system will create a financial incentive for retailers to protect sensitive information, and compensate those banks that are at the front line of customer protection.
Enforcement of the Visa and MasterCard contracts, and legislation restoring balance and fairness to the marketplace, are needed. We urge Congress to act quickly to protect consumers. Consumers deserve more than being placed at risk by careless merchants.
Michael T. Crowley, Jr., chairman of ACB’S Debit Card Fraud Committee, is chairman, president and CEO, Bank Mutual, Milwaukee, Wisconsin.