Q: What is the industry and RILA doing in response to recent cybersecurity attacks?
A: Retailers place extremely high priority on data security and they invest tremendous resources to prevent attacks; however, cyber-criminals are persistent and their methods of attack are increasingly sophisticated. That is why RILA’s Board of Directors recently approved the RILA Cybersecurity and Data Privacy Initiative, which seeks to enhance existing cybersecurity and privacy efforts, inform the public dialogue, and build and maintain consumer trust on three major sections: Cybersecurity, Improved Payments Security, and Consumer Privacy.
Q: Why is protecting against cybersecurity a shared responsibility?
A: The safety and security of our customer’s payment card data is of the utmost importance for the retail industry. Risks associated with cybersecurity attacks are increasingly threatening the role that merchants play in commerce. Protecting against cybersecurity threats targeting payment data is the shared responsibility of merchants, financial institutions that issue cards, and card networks. No single process or technology can prevent cyber-attacks and fraud; rather, a layered approach is necessary to reduce and mitigate fraud and risk.
Q: What steps do merchants take today to protect payment card information?
A: Merchants employ multiple layers of security practices in order to safeguard customer payment card data, such as encryption of data, tokenization of data, prompting at the point-of-sale for personal identification numbers (PIN), zip code and address verification, Internet Protocol (IP) address/geolocation authentication, prompting for Card Verification Value (CVV), and automated transaction scoring, to name a few.
Q: Who pays for fraud?
A: Both merchants and card issuers. A 2013 study by the Federal Reserve on debit card fraud losses found that cyber security fraud losses are relatively evenly divided among merchants and card issuers: for more secure transactions requiring a PIN the card issuer absorbed a greater share of the fraud; for less secure transactions (i.e. signature debit) merchants absorb an increasing share of fraud.7 For signature debit transactions, merchants absorb 45 percent of the losses and card issuers absorb 54 percent of the losses. For PIN debit transactions, merchants absorb 2 percent of the losses and card issuers absorb 96 percent of the losses. And for card-not-present transactions, which include online, telephone and catalogue sales, merchants absorb 68 percent of losses and card issuers absorb 29 percent of the losses.
Q: How are card issuers compensated for costs associated with reissuing cards following a cyber-breach?
A: Contrary to the claim that card issuers receive “pennies on the dollar” for card reissuance, by contract card issuers are reimbursed for fraud losses and card reissuance costs based upon a formula agreed to by the card issuer and card networks even if no fraudulent activity has actually occurred on the card. For example, according to the MasterCard Account Data Compromise User Guide, under a formula that card issuers and MasterCard have agreed to, a small financial institution is reimbursed by the merchant at a cost of $2.69 per magnetic stripe card. If this same card issuer had issued a Chip & PIN card – which experts agree would render card data stolen from cyber-attacks useless – the small financial institution would be reimbursed $3.66 per card.8 Visa maintains a similar reimbursement schedule.
Q: Are card issuers 100% reimbursed for costs associated with card reissuance?
A: That would be a good question to ask Visa and MasterCard directly, but unfortunately they haven’t been able to answer that. MasterCard’s Account Data Compromise User Guide, which outlines terms that card issuers and MasterCard have agreed to by contract, say that card issuers are compensated on a per-card basis for 60 percent of the cards they have to reissue; the other 40 percent of cards are not eligible for reimbursement because: 1) they would have had to been replaced due to regular card expiration and card replacement cycles, and 2) a certain percentage of fraud (either occurring at the banks’ or merchants’ level) would have occurred on any given card due to normal fraud rates.