Pointing Fingers: Why the US has Fallen Behind on Financial Retail Security

In the United States, the standard payment system is based on payment cards with magnetic stripes that are not encrypted and can easily be read.  It is reportedly easy to forge magnetic stripe cards and the signature on the back of the cards provide criminals with an example of the cardholder’s authentic signature.  In the United States, cybercriminals breached the data security of Target, Home Depot, JP Morgan Chase, Sony, and Adobe, stealing the personal and financial information of millions of customers. In most of the rest of the world, a payment system thought to be more secure, the Chip and PIN system, has been adopted.  Not only does this system rely on encryption at the initial transmission, but the system also changes the encryption every time it is used, making it nearly impossible for a criminal to capture and use cardholder information as it is transmitted and processed through the system.  Yet, in the United States, this technology has not been adopted as the standard. Why has the United States fallen behind on this security matter during a period of time overwhelmed by financial data breaches? According to a recent Congressional Research Service report, The Target and Other Financial Data Breaches: Frequently Asked Questions,

Image Target Financial Breaches

the basic answer is . . . money.  According to the report, the cost of producing a magnetic stripe card (the US standard) is about $0.50 compared with $2.20 to produce a chip card. There are costs to those that adopt the heightened security, but no equivalent benefits.  According to the report, the issue does not fall into the hands of a single player, because in the payment card industry, the players include the businesses accepting payment cards, issuing banks, acquiring banks, the payment card companies, and the merchants.  As a result, a gridlock has occurred from each player pointing their fingers at another player to take responsibility and cover the costs. The report explained the situation in the following way:

To use a simple analogy, in a house shared by several roommates, each wants to see the house kept clean, but no one wants to clean the living room. . . . This creates a similar problem of participants trying to shift the costs of cyber protection to the other participants.

At first, the courts were called to play parent to the disputes between the various parties.  According to the report, the decisions by the courts were made on a case-by-case basis and often litigated under a variety of state laws, and this led to a lack of uniformity in the outcomes. As a result, people are starting to turn to Congress for answers.  The report highlighted the following proposals made during Congressional hearings on the topic:

  • Federal Data Breach Notification Law: Essentially, this law would require companies to notify individuals when their personal identifiable information has been compromised.  There has been some push-back concerning the potential displacement of state laws if Congress enacted this law.
  • Modifying Federal Trade Commission Statutory Power: Currently the FTC does not possess explicit statutory powers to impose monetary penalties or punitive fines on companies for unfair or deceptive trade practices related to a data breach, so some in Congress have called for passage of a law to strengthen the FTC’s statutory authority to penalize businesses that fail to adequately protect consumers’ personally identifiable information.
  • Creating Federal Standards for Data Security, Including for Businesses: Some in Congress are pushing the federal government to create standards for what represents a minimum acceptable level of data security, while others voice concerns that standards would be too rigid for such a rapidly evolving, technology-driven field as data security.  The report describes a number of bills in both the Senate and House that appear to create differing types of federal standards for data security (to read about those bills click here for the full report).  On February 12, 2014, the National Institute of Standards and Technology (NIST) issued its Framework for Improving Critical Infrastructure Cybersecurity, which sets out a voluntary framework.  While the voluntary nature of the framework removed direct means of enforcement, the Congressional Research report points out that the existence of the framework could potentially create a basis for a standard of conduct that could possibly become a benchmark for courts to evaluate liability relating to data security under tort and other law.

While the policy solutions above serve as a baby step in the right direction, they ignore the bigger issue of allocating responsibility to the parties best positioned to protect against cyber breaches. As a result, the finger pointing continues.  For example, according to the report, merchants complain that the excessive market power of payment card companies has forced an undue share of the costs on the merchants, who also bear a high share of penalties and indemnifications for breaches.  Merchants also argue that payment card companies are not spending enough to upgrade security technology.  On the other hand, banks complain that they pay most of the costs to reissue cards and reimburse for fraudulent charges and that often such breaches result from merchants’ security errors. So the players involved do what they can to shift the costs of technological improvements in security.  The payment card industry has announced that effective October 1, 2015, liability for fraudulent transactions (except for ATMS and gas stations) will be assigned to the merchant or issuer that is not Chip and Signature compliant. However, is this the type of problem that should be dealt with by marketplace forces? According to the report, an additional concern voiced by banks and payment card companies was that “if data security were to become a competitive factor, information sharing and cooperating on data security might be more difficult.”  Taking into account the current focus in the cyber landscape on data sharing, this concern could have major implications. Given the above issues, perhaps the only solution is for the government to mandate improvements.  What do you think?  To learn more, read the full report by clicking here.

Please follow and like us:

Tags: , , , , ,

Leave a Reply

You must be logged in to post a comment.

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. She is the 2018-9 Editor in Chief of the Syracuse Law Review, as well as a member of the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories

RSS
Follow by Email
Facebook
LinkedIn