As an increasing number of states consider bills seeking to codify pieces of the Payment Card Industry (PCI) Data Security Standard into law, a common thread is emerging: the involvement of credit unions in pushing the legislation.
California legislators last week held a hearing on a bill that would set new data security and breach-notification requirements for all organizations processing credit and debit card transactions in the state. Businesses hit by breaches would also have to reimburse affected banks and credit unions for the costs of alerting customers and reissuing cards.
The chief proponent of the bill, which was introduced in the state assembly in February, is the California Credit Union League. The CCULs sponsorship of the proposal mirrors recent efforts by credit union associations to pass similar measures in Minnesota and Texas successfully in the former state and unsuccessfully in the latter. Burden of Breaches
The need for such legislation is being driven by the burgeoning costs that many credit unions are having to bear as a result of security breaches at merchants, said Keri Bailey, a lobbyist for the CCUL.
This is an issue of fundamental fairness, Bailey said. Right now, the burden is entirely on the financial institution. The federal Gramm-Leach-Bliley Act requires banks and credit unions that issue cards to do a whole lot to protect peoples data, she said. But the folks accepting this data [for transactions] have no skin in the game.
Individually, large and midsize credit unions can easily end up shelling out between $500,000 and $750,000 annually in breach-notification and card replacement costs, Bailey said. And those figures dont include any fraud-related charges, she noted.
Most credit unions are not-for-profit institutions, Bailey said. As a result, its harder for them to absorb the costs of responding to retail security breaches than it is for banks, she added.
The bill in California has goals similar to those of the Plastic Card Security Act that was signed into law in Minnesota two weeks ago. The requirements included in the Minnesota law and the California bill incorporate elements of the PCI standard, which was developed by the five major credit card companies.
Another PCI-derived bill was unanimously approved by the Texas House of Representatives in early May but didnt make it through that states Senate before the latest biennial legislative session ended last week.
Such measures are needed to prod retailers to become more serious about their data security practices, said Steve Rowen, an analyst at Retail Systems Alert Group, a consulting firm in Newton, Mass.
Despite the negative publicity generated by high-profile breaches such as the one disclosed in January by The TJX Companies Inc., retailers havent had to bear much fiscal responsibility for security lapses, Rowen said. PCI enables credit card companies to assess financial penalties when data breaches occur. But, he said, to my knowledge, no retailer has been forced to pay any actual costs beyond its own expenses.
Playing the Security Card | |
|
However, Jon Hurst, president of the Boston-based Retailers Association of Massachusetts, voiced concerns about Minnesotas new law and the proposed statute in California, which he described as a one-sided proposal.
Retailers already pay the credit card companies for fraud-related costs upfront via so-called interchange fees, Hurst said. If credit unions and small banks want to be reimbursed for their breach-related costs, he added, they should be working with [bigger] banks and the card associations to fix the system, and not trying to pass laws to bring more money their way.