NRF Letter Calls for Financial Industry Support

WASHINGTON — The National Retail Federation outlined its concerns about criminal data theft and security breaches at Target Corp. and Neiman Marcus in a letter to the two top leaders in Congress on Tuesday, calling for help from the financial industry to implement more secure debit- and credit-card technology for consumers.

Matthew Shay, president and chief executive officer of the NRF, sent a letter to Senate Majority Leader Harry Reid (D., Nev.) and Speaker of the House John Boehner (R., Ohio) on Monday, to assure them that retailers stand ready to help combat criminal data security breaches as the debate over protecting consumers from data security breaches heats up on Capitol Hill.

“At the end of last year, a sophisticated criminal attack to steal proprietary customer financial data and other customer information was perpetrated against Target Corporation, Neiman Marcus, and several other retailers. Among other things, this series of cyber attacks raises questions about the security of the basic payment systems utilized in the United States and has reignited a public debate about data theft and the security of information,” Shay wrote in the letter. “The [NRF] and our 12,000 members are committed to combating this criminal threat to our industry and our customers, and we strongly recommend the adoption of meaningful steps to fight cyber theft and credit-card fraud.”

Target revealed before Christmas that financial information, including credit-card information of 40 million of its customers who shopped its U.S. stores between Black Friday and Dec. 15, was compromised. It subsequently learned and revealed it had discovered as a part of its ongoing internal probe that certain customer data separate from credit-card information was stolen, potentially affecting an additional estimated 70 million consumers who might have had their names, mailing addresses, phone numbers and e-mail addresses stolen. Neiman Marcus later said that it too had been hit by a credit-card security breach, though the retailer did not disclose how many customers were potentially affected.

RELATED STORY: Target Sets Up Cybersecurity Group >>

“When it comes to the most criminally lucrative data — sensitive bank card information — our partners in the financial sector have a critical role to play in making sure their cards are secure,” Shay wrote. “For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next generation ‘PIN-and-Chip’ card technology for customers in Europe and dozens of other markets.”

Shay cited a report released last Thursday by the U.S. Secret Service, US-CERT and iSight Partners of Dallas that found that the malware used in the attack against Target was highly sophisticated.

Shay said retailers have long sought the lead in payment security through adopting new technologies, including installing sophisticated PIN-enabled point of sale systems and the willingness to adopt cards with more secure microchip technology. But he stressed that retailers cannot solve the problem alone and noted that the industry is “eager to work with banks and card companies to fight cyber attacks and reduce fraud.

“Only by working together will consumers’ financial data be protected from criminals,” Shay said. “That is why it is time for our partners in the card industry to invest in next-generation technology to secure sensitive bank-card data. Adopting ‘PIN-and-Chip’ security measures in the U.S. (as the branded card networks and issuing banks have done to protect European consumers) would be a good start. As long as bank cards continue to be issued with outdated and fraud-prone magnetic stripe (and signature) security, it is clear American card holders will remain largely unprotected.”

He said NRF supports the PIN-and-Chip payment card security, widely used in Europe; a federal cyber-security law that would give the commercial sector the ability to quickly share information about threats, as well as legislation providing support for law enforcement; and one federal breach notification law to replace patchwork state laws.

“Credit-card fraud cost retailers and our financial-services partners more than $11 billion in 2012,” Shay said. “That is why NRF is committed to a long-term solution to the issue, working with all stakeholders to ensure that our customers’ sensitive information is protected.”