Retailers welcome Obama’s proposed cybersecurity polices

Feb. 23, 2015
Q&A with NRF VP and Senior Policy Counsel Paul Martino

Earlier this month, President Barack Obama spoke at a White House cybersecurity summit held at Stanford University where he called upon business leaders to work with the federal government in helping to combat online attacks. Given the scale and impact of recent data breaches, including the massive hack against Sony Pictures late last year, cybersecurity has been one of the Obama administration’s primary areas of focus early on in 2015. The president has already asked Congress to pass comprehensive data breach notification legislation and announced at the summit that he has signed an executive order that would make it easier for private sector businesses to gain access to classified information about cyber-attacks.

The retail industry has been one of the hardest hit by cyber thieves with large-scale breaches against Target and Home Depot garnering numerous headlines and spurring debate about how retailers process and store payment card and other information about consumers. Retailers have also not shied away from the issue as many have already begun the process of migrating away from magstripe payment card terminals to the more secure chip and PIN point-of-sale systems that have been widely used throughout Europe for some time. SIW recently caught up with Paul Martino, vice president and senior policy counsel at the National Retail Federation, to discuss the NRF’s involvement in the recent cybersecurity summit and how recent legislative proposals bode for the industry.

SIW: What is your take on the president’s increased emphasis on cybersecurity as it relates to protecting consumer data?

Martino: We welcome his support and effort to promote some of the legislative proposals that we have supported for a number of years. In particular, he’s supportive of cybersecurity information sharing legislation that would provide liability protections and other protections for industry to encourage greater sharing of cyber threat information among businesses and with the federal government. We think that would help our members who wish to receive that kind of threat information to better defend their networks from similar attacks.

The president also called for one, uniform data breach notification law and that’s something we have also supported for a very long time. It would help both businesses and consumers to have one national standard because there are about 51 jurisdictions right now that have separate disclosure rules and what that does is avert time, energy and resources away from repairing a breach and informing consumers if one happens. One uniform standard would not only speed compliance, but would make notices to consumers more concise, timely and clear.      

SIW: Are retailers ready to make the transition to chip and PIN payment card technology?

Martino: I think many retailers are working to make the shift. It’s obviously a company-by-company decision. What we’ve talked about with respect to the shift is that this is an investment of approximately $20 billion to $30 billion by retailers – the shift to point-of-sale systems that can read chip-enabled cards - but we are concerned that the banks and other institutions like credit unions will not issue the kinds of chip-enabled and pin-enabled cards that have proven to be more protective of consumers.

For example, we have pushed for chip and PIN card solutions. Chip-enabled systems alone would not prevent the kind of fraudulent use of the cards and the card numbers that we would like to protect against. Even with a chip card, if it was lost or stolen, someone could take that card and use it in another retail location by simply signing on the back, so we don’t think a signature is an effective authentication tool and frankly, it dates back to the 1960s. Also, if you took a chip card and read the numbers embossed on the front, you could use those numbers online or by catalogue shopping over the telephone. We think it’s a half solution – it is like locking the front door without locking the backdoor. If you look at the other G20 nations, most of them use chip with PIN numbers. The chip defends against counterfeit cards, but the pin protects and authenticates the customer.      

SIW: What are some best practices the NRF recommends for retailers when it comes to safeguarding customer and/or vendor data?

Martino: There have been some questions raised by banks and others about what standards retailers have. I think retailers have standards at the federal level, state level and at the operational level via contracts. At the federal level, the FTC enforces against all companies within its jurisdiction, including retailers, reasonable data security standards. The FTC has brought over 50 enforcement actions against companies for unfair business practices for not having reasonable data protection standards. Many states have their own separate law with respect to data security, which we always fall under. Additionally, the payment card industry or PCI has a set of rules - I think they number well over 200 separate requirements for data security if you’re accepting payment cards. Those are very specific standards, rules and requirements that retailers have.

On top of that, we work with our members with respect to how they’re implementing the latest technologies. In addition to working to update point-of-sale systems to read EMV chip-enabled cards, retailers are also investing in point-to-point encryption. Many have already implemented that type of encryption in their systems or are on the path to implementing it. If we encrypt the data while it is in our control, it would work to devalue the data so if a breach did occur, the data would be useless to the bad actor.

SIW: Is there anything that you are looking forward to achieving by taking part in this and potentially other cybersecurity summits held by the White House?

Martino: Anytime the president participates in a summit it is going to draw a lot of awareness and attention to the issues. We would hope this begins a broad dialogue that includes views from all affected industries and stakeholders in these issues. There are elements that will be addressed at the cybersecurity summit, such as information sharing and information sharing legislation, but there are also other things we could do to help address cyber-attacks. Some of the things that retailers support, in addition to the chip and PIN and point-to-point encryption, are the creation of an open tokenization standard… and providing federal protections for debit cards. Credit cards under the Truth in Lending Act enjoy protections against fraudulent use where the liability for consumers is capped at $50. We think debit cards should have similar protections.