In the past few days a handful of influential banking trade bodies in the US lobbied Congress to introduce legislation that would make retailers accountable for breaches in cyber security. This development pits two industries, both of which are integral to the prevention of a significant segment of cyber-crime, against each other in a tug of war over responsibility for mopping up after a cyber-attack. Some of the recent high profile attacks, which have seen over 100 million payment card numbers stolen, are of a scale that perhaps makes this debate inevitable. The question remains whether legislation and litigation are the most effective means of mitigating these risks.
Many point the finger of blame at the retailers, referencing alleged shortcomings in their security – particularly with regards to third party access to their networks. What isn’t as clear is what conditions caused this situation to arise.
Security standards have been imposed on retailers for more than a decade (PCI-DSS consolidated proprietary standards in 2004), but standards alone don’t prevent an attack. The breaches being debated are clear examples of the hazards in a culture where the focus is on being compliant rather than mitigating the risk. Compliance should be treated as a minimum hygiene factor and set of guiding principles rather than the whole requirement. It’s therefore understandable that banks are looking to push liability onto the retailers to remove the moral hazard that has existed to date.
Yet the theft of card details is only an initial step in the criminal chain of events, and the retailer has no visibility or control over the downstream fraud in later stages. That is why it would be unfair to expect them to own the risk end-to-end. Let’s also not forget that there are some considerable costs that fall on the retailer regardless, in remediating the original attack and providing identity protection services to affected customers. Perhaps a pragmatic approach might be for the cost of reissuing the cards to fall on the retailer while the cost of consequential fraud remains with the bank?
There are other parties involved as well. The consumer has chosen to hand over their credentials to the retailer. There may be a mobile payment operator or e-payment broker involved. Which of these should accept some of the responsibility. The reality is that there are multiple parties in play, all of whom have an ability to mitigate part of the risk.
Moreover, responsibility in a discrete case is only half the story. Consideration must also be given to the nature of the overall payments system in place. For example, the fact that payment authentication in the US relied on a few pieces of static information, such as the 16 digit card number, made the devices capturing that information and the systems storing it far more attractive targets to attack. This is in contrast to capabilities like chip-and-PIN that were introduced in Europe in response to changing threats. It has increased the probability that retailers will be targeted, meaning that all parties involved in the perpetuation of that systemic weakness have relevance in culpability for an individual incident.
This is just the start of the debate, but we should balance a natural desire to blame against the urgent need to fix the system and incentivise the right behaviour. The marketplace’s scale and its diversity of traders mean banks and card issuers will find it hard to manage the risk through litigation. An economic model to incentivise retailers, banks and consumers to take the risk seriously would contribute more to our collective security. Equally important is a payment mechanism reliant on more than the static information, permanently associated with a physical piece of plastic, which is easily read, copied and communicated.
Tom Burton, Director at KPMG