Cybersecurity Intensifies the Tension Between Banks and Retailers

Historical squabbles between bankers and retailers have spilled over into cybersecurity.Historical squabbles between bankers and retailers over credit cards have spilled over into cybersecurity.

2015-03-jeff-kutler-banks-retail-large.jpg

Banks and retailers aren’t competitors in any conventional sense. Yet their industries are often at each other’s throat. They scuffle over the way money flows between them. The point of sale (POS) — where consumers hand over credit cards, and banks and other servicers extract fees for processing — is a battleground.

Retailers and banks typically argue about the costs not just of transaction authorization and settlement but also of fraud and counterfeiting losses, which have escalated in the era of cybercrime. Retailers are taking on more of that burden through upgrades of their POS technology, and they are complaining that the banks are not doing enough.

It’s mainly a U.S. issue — much of the rest of the world has moved to higher levels of card security — but it is playing out at a time when all industries are being urged to cooperate in the shared interest of cyberdefense.

The animosity may just be hereditary: For all its modern, automated trappings, banking is basically conservative; appeals for deposits essentially promote saving. Bankers make money on the interest rate spread between deposits and loans; retailers, on the margin between their costs and prices. The two camps disagree over whose profits come easier and how the costs of payment system advances are allocated.

The cultures have been clashing at the point of sale since banks began innovating with credit cards in the 1950s and ’60s. Until then, retail store credit was exactly that — a service designed to encourage spending in the given store. General purpose cards, primarily predecessors of today’s MasterCard and Visa, disrupted that model. So popular were the bank-owned brands, along with American Express and later Discover, that stores felt they had to accept them or risk losing sales.

To this day, card acceptance costs retailers at least a percentage point on each sale, and they continue to bristle about it — or at least about where the power lies in the relationship. Retailers have sued card companies for price fixing and won multibillion-dollar settlements, which have not exactly ushered in an era of détente.

There was something of a thaw following the theft of 40 million card account numbers in the fall 2013 Target hack. Industry leaders formed the Retail Cyber Intelligence Sharing Center — 15 years after banks had launched their analogous Financial Services Information Sharing and Analysis Center. In a February 2014 show of unity, the Financial Services Roundtable, Retail Industry Leaders Association (RILA) and other organizations announced the Merchant and Financial Services Cybersecurity Partnership to promote information sharing, risk mitigation and long-term security solutions extending to mobile and online commerce.

While those principles are not in dispute, U.S. merchants, to limit their loss liability, face an October 2015 deadline to install POS devices compatible with the so-called EMV standard. That enables them to read cards equipped with computer chips, which are far less vulnerable to fraud and forgery than the old magnetic stripes, and which card issuers are currently distributing.

The terminals are an aggregate $7 billion expense, but if it solves an $18 billion problem, the cost-benefit is clear. However, RILA contends, chip cards are a partial measure: Cardholders still sign their name to complete a transaction. The retailers advocate personal identification numbers instead. With debit cards, PIN transactions are 700 percent safer than non-PIN, RILA president Sandy Kennedy wrote recently in Roll Call, citing Federal Reserve data and urging the private sector to follow the federal government’s lead in standardizing chip-and-PIN.

“The technology is shown to be highly effective,” says John Gunn, Chicago-based head of communications for authentication systems company Vasco Data Security. “It’s just a question of who pays for it.”

Paul Kocher, a veteran of the card security wars who is president and chief scientist of the Rambus Cryptography Research division in San Francisco, believes these conflicts will sort themselves out and that, ultimately, “we could see a repeat of what happened in Europe — a rapid move to chip-and-PIN.” At least there is consensus that “fraud is bad for everybody,” he says, and that “1960s magnetic stripe technology has to change.”

Paul Kocher U.S. Sandy Kennedy Federal Reserve John Gunn
Related