SAN DIEGO -- Protecting customer data shouldn’t be the responsibility of the consumer, stressed an expert panel Monday at NACHA Faster Payments 2018. However, creating a system that is wholly secure is easier said than done, and that’s why collaboration is needed across the entire payments ecosystem.
Suzanne Martindale, staff attorney for the Consumers Union, noted that the Equifax data breach was less than a year ago, and it feels as though people have forgotten about it. That breach was massive and had much more significant implications than even the infamous Target breach, because you can change your credit card number. You can’t change your social security number.
Martindale asked how many attendees froze all of their credit files one the breach was revealed. Only about half raised their hands. She jokingly scolded the audience—which was comprised of payments professionals—for not freezing their credit.
But on that note, she pointed out that many consumers out there didn’t understand the need to freeze their files when this incident occurs either. Similarly, when consumers are left to choose to set up stronger authentication on their accounts, many don’t want to deal with it. Therefore, banks, corporates and payment service providers need to be the ones to step up.
“It is incumbent upon the industry to make those business investments on the front end so that the consumer has to use multifactor authentication, can’t use password for their password, etc. Very common sense things that will ensure that when people spend that three to five seconds creating that account, the consumer protections are baked in.”
Moderator Ken Montgomery, First Vice President and Chief Operating Officer, Federal Reserve Bank of Boston, began by noting that merchants have been under a lot of scrutiny due to the influx of data breaches that have occurred over the past decade. He asked what more needs to be done by retailers to shore up security.
Reed Douglas Luhtanen, senior director, payments strategy for Walmart Stores, responded that a lot of attention has been paid to merchant data breaches, largely due to the nature in which these incidents become known to the public. “We don’t know who you are when you shop at our stores and we don’t have a way to contact you directly, so the only way to notify you of a breach is to put out an announcement,” he said.
Luhtanen added that other companies in other industries that have direct relationships with their customers can contact them directly and avoid a lot of the bad press.
The bigger issue, he added, is that retailers are acceptors of the products that financial institutions and payment service providers put into the market. “So to the extent that those products have inherent flaws, we are susceptible to those flaws through no fault of our own,” he said. “So what we need to do is focus on those products and make sure that they have the necessary 21st century security capability to protect this stuff.”
However, Peter Tapling, an independent consultant who participated in the Federal Reserve Secure Payments Task Force, countered that the payments industry could resort to building extremely secure systems that ultimately wouldn’t see any use because they would be so difficult to navigate. So it’s a difficult balance to create something that is secure but also isn’t impossible to use.
“Every time you come out with anything new, the bad guys are going to be the first guys that fly in and figure out where the cracks are,” he said. “We build businesses that we hope will last for tens of years. They just need to steal for 16 or 18 months and then they move on to the next thing, because they know that we’re going to come out with more new products.”
FIXING INFORMATION SHARING
Tapling added that cross-industry information sharing is can be a huge asset to stop fraudsters from exploiting the weakest link. “Let’s find the weak link first,” he said. “Individual companies hire white hat hackers to figure out where their weaknesses are, but as a payments system, we don’t hire white hat hackers to find the weak link in the system. Well, the bad guys are doing that all the time.”
Furthermore, there is disagreement across the payments ecosystem as to what information needs to be shared, and what kinds of security incidents are meaningful. “We can’t even agree on what defines a fraud event,” Tapling said. “So if you’re going to information sharing on fraud events but you can’t agree on what a fraud event is, then it’s really hard to do. It diminishes the value of information sharing.”
Talpling concluded that these issues underscore the need for payments stakeholders to continue to work together to improve the information sharing model. “We need to continue to be engaged as an industry on a systemic basis to try and figure out how we can create information that is meaningful,” he said. “There’s not going to be one person that provides it; there are going to be multiple people that provide it. They won’t all provide the same thing, and some are better than others at certain things.”