October 20, 2015 - National Association of Federal Credit Unions (NAFCU) President and CEO Dan Berger issued the following statement regarding the recent Europay, MasterCard and Visa (EMV) chip-card transition.
"The transition to EMV cards is an important step in the process of data security, but it is not a silver bullet," said Berger. "Unfortunately, retailers and merchants are not subject to the same data security standards as financial institutions. This leaves consumers' sensitive financial information extremely vulnerable to cybercriminals."
Since 1999, financial institutions have had to adhere to the stringent standards of the Gramm-Leach-Bliley Act that help safeguard consumers' sensitive personal and financial information.
"Cybersecurity is a shared responsibility," Berger noted. "Consumers will only be protected when every sector of industry, including merchants, issuers and networks, are subject to robust federal data safekeeping standards. To that end, NAFCU continues to urge Congress to modernize data security and cybersecurity laws to reflect the complexity of the current environment and insist that retailers and merchants adhere to a strong federal standard."
Specifically, NAFCU supports Sens. Tom Carper, D-Del., and Roy Blunt, R-Mo., bipartisan measure, S. 961, the "Data Security Act of 2015," and the companion House bill introduced by Rep. Randy Neugebauer, R-Texas, and Rep. John Carney, D-Del., H.R. 2205, which would set a national data security standard for retailers akin to GLBA while acknowledging financial institutions' existing adherence to GLBA standards.
NAFCU also supports S. 754, the "Cybersecurity Information Sharing Act," introduced by Sen. Richard Burr, R-N.C., which would help the nation defend against cyber-attacks through quicker, more efficient sharing of cyber-threat information between business and government while ensuring privacy.
Consumers need to keep the following issues in mind as the chip-card transition continues:
EMV adoption will also likely have a side effect of increasing online fraud - an October 2014 Javelin study shows online card fraud will rapidly increase despite the U.S. transition to EMV.
Most of the major retailer data breaches have been executed through malware - chip-and-PIN would not have prevented them.
Financial institutions continue to pursue new technologies such as tokenization, biometrics like voice and fingerprint recognition and point-to-point encryption - all in addition to EMV chip cards.
New technology isn't the only way to help protect consumers - there must be national data security standards for all businesses that handle financial information, including merchants.
NAFCU was the first financial trade organization to call for national data security standards for retailers in the wake of the 2013 Target data breach.