Credit unions want merchants held to same data security standards

The Credit Union National Association is pushing for change – and although there will be pushback from the merchant sector, a lot of what CUNA is pushing for is consistent with what privacy advocates want:

Data security is a critical issue and the U.S. Congress should consider legislative changes to protect consumers, such as requiring merchants to meet the same high standards for data protection to which credit unions and other financial institutions are subject, the Credit Union National Association (CUNA) said in a letter sent to a key lawmaker Thursday.

Additionally, Congress should permit financial institutions to disclose the source of data breaches affecting their members or customers, and merchants should be required to reimburse consumers and financial institutions for costs associated with data breaches, CUNA President/CEO Bill Cheney wrote in a letter to the chairman of the House Small Business subcommittee on health and technology, Rep. Renee Ellmers (R-N.C.). The subcommittee conducted a hearing yesterday entitled hearing “Cyber Security: Protecting Your Small Business.”

Cheney wrote that until merchants are held to high standards for data security as financial institutions, such as credit unions, are, the consumer will “remain vulnerable to a system that does not protect their information.”

Without federal requirements forcing merchant to notify their customers of a data breach, the burden of notification to the consumer lies with the financial institution that issued the payment card.

“However, financial institutions cannot specify which merchant was responsible for the breach and also bears the costs of issuing new payment cards, and making any loss to the consumer’s account whole. The merchant bears no financial responsibility in the case of a data breach,” Cheney underscored in his letter to Ellmers.

The complete text of CUNA’s letter is available on CUNA.


About the author: Dissent

2 comments to “Credit unions want merchants held to same data security standards”

You can leave a reply or Trackback this post.
  1. garykva - December 7, 2011

    The Credit Unionss have a valid point, but, the Credit Unions aren’t using the high tech gadgets to prevent fraud. What about those ATM and CC with RSA style PINS? Biometrics ? There are a ton of possibilities. They issue the same card the same way each time. Thats simply throwing more money into a procedure that is dated and broke. As I have stated before, if a card gets compromised in this era, its impossible to know where the actual breach occurred. Pinpointing a merchants action when the merrchant has a break in or theft of an item with PII is a bit easier. But I don’t know many small ( I mean small, eg; mom and pop shops) that can afford the securities that banks have. Sure, if you allow me the comforts and protections that a bank/cu gets I am all for security. Simply blurting out a statement like this means the CU’s better ante up loans (NOT) which are directly related to security improvements. Legalities in rental of properties mean modifications may or not be allowed in many strip style malls. If a crook wants in, thru a glass window, a sledge thru a wall or other means, they will get in to the location. Unless all items are locked up each night in a safe that would take 10 people to lift, then, its a challenge. In the world of small business, the majority of people get lax on security over time. It’s nature of the beast. They get a taste of that false sense of security, and one time is all it takes.

    If most people could afford the property, building and stock out of pocket, they’d probably be retired, instead of putting up with the chaotic economy. With a store in the mall, the protections are pretty much there,and may have a better chance of protecting PII from theft.

    Heck if the government would step in and offer free awareness training and proper handling of PII, some of this may be thwarted. I am sure some person who thinks ripping off PII is worth it until they see a person in a prison suit, explaining what they did – and eventually lost because of it, may keep them from even thinking about it further. Heck offer an one time grant or other monetary incentive to participants – one per area (county/region/state). Have the large corporations offer a laptop with encryption and a lojack style device for cost. That drums up business and awareness at the same time.

    In the world of electronics, it comes down to security – or ease of use; the latter usually wins, and the crooks walk off with the laptop or thumb drive or other hand held device. Pick your poison when it comes to staff policies and procedures. I agree they are chaotic at best, but if thats what the goverment wishes to accept as is, then they eventually will have a heck of a mess to clean up. Again its easy to say “hold them responsible as a CU” well, if they can pay hush hush money and do things that do not make the press, its more of a “Do as I say, not as I do” muttering.

  2. Freddyfrgg - December 8, 2011

    Hi there my first occasion on this website, but I must say that you raise quite a few useful points, making for a truly interesting topic.
    Thanks a lot.

Comments are closed.