Retailers To Senators: Don’t Hit Us With Bank-Style Security Rules

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pymnts.com/news/2015/retailers-to-senators-dont-hit-us-with-bank-style-security-rules/#.VQmqMo7F-So

Banking data-security regulations would be a “poor fit” for retailers and
other businesses that accept payment cards, the National Retail Federation
said in a letter to a group of U.S. senators, according to The Hill.

The letter comes as lawmakers are looking for ways to beef up security for
payment cards after a string of highly visible data breaches. One set of
proposals includes extending the authority of the Federal Trade Commission
to apply bank-style regulations to any merchant who accepts credit, debit
or gift cards. Right now the FTC only requires merchants to safeguard
sensitive data and explain how it’s shared with other parties.

In an NRF-commissioned white paper sent with the letter, former FTC
officials Joel Winston and Anne Fortney spoke out against applying the
stricter bank guidelines to merchants. “The FTC considered applying the
rules to retailers that accept bank credit or debit cards and declined to
do so,” Winston and Fortney wrote. “We believe that determination remains
equally justified today.”

The white paper also discusses what harm the bank-style security rules
could have on retailers.

“While the banks covered by the guidelines are relatively homogeneous,
extending the guidelines to all entities that accept payment cards would
sweep in a vast array of businesses ranging from large multinational
conglomerates to small operations, and could also include
individuals,”Winston and Fortney highlighted in the white paper. “The
threats faced by these widely diverse businesses are likely to vary widely
as well, as would the sophistication and capabilities of the entities
themselves for addressing the threats. A flexible approach as in the
Safeguards Rule is necessary to account for those critical differences.
Many of the guidelines’ provisions, which were drafted with banks in mind,
likely would be unsuitable for a significant proportion of the entities
that would be subject to these new requirements.”

A key problem in expanding the FTC’s role is the fact that bank regulators
have continuing, interactive contact with banks to keep them in line with
regulations, while the FTC is a law enforcement agency that can sue
retailers only after they have violated the law.

A bigger problem is scale: There are about 6,500 FDIC-insured banks and
about as many U.S. credit unions for regulators to supervise, compared with
millions of merchants and other organizations and individuals that accept
payment cards.

Another issue is the fact that retailers can’t dictate the level of
security for payment cards — that’s controlled by card-issuing banks. “If
the [bank-oriented guidelines] were made applicable to businesses that
merely accept banks’ cards, they would impose security obligations on those
with the least ability to implement the requirements applicable to payment
card security,” the former FTC officials wrote.

Though there aren’t currently any government-mandated security requirements
for card-accepting retailers, they are required to meet the Payment Card
Industry Data Security Standards (PCI DSS) or be hit with higher
transaction fees. That’s already more of a challenge than many large
retailers can handle:80 percent of merchants fail interim PCI DSS
compliance assessments. In the case of smaller merchants and other
organizations, many don’t even know the PCI security standards exist.

While the NRF wants legislators to reject anything that would extend the
bank-oriented security regulations to retailers, the organization is in
favor of a uniform national data-breach reporting law, the letter said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!