The Great Retailer vs. Credit Union Dust Up

Posted May 5, 2015

A Retail Group Suggesting Slowing Implementation of New Secure Cards and Holding Off a Shift in Payment Fraud Liability Sets Off War of Words

The switchover to EMV cards is not a matter of black-and-white. Perhaps there aren’t fifty shades of gray, but there are definitely gray areas that need exploring. For instance, will cybercriminals abandon point of sale (PoS) fraud only to turn their attention to online fraud?

In a ThreatMetrix news release, “Six Months Ahead of EMV Chip Deadline, ThreatMetrix Offers Strategies to Protect Against Expected Increase in Online Fraud,” ThreatMetrix’s chief products officer advised that “from a consumer perspective, the shift to EMV is good news as it will make it harder for cybercriminals to counterfeit credit cards and conduct fraudulent purchases in stores. But from an online merchant perspective, as it becomes more difficult for cybercriminals to monetize on counterfeit cards, their goals are now going to shift to using stolen credit card data through online channels. Right now – ahead of the October deadline – is the time for retailers to start implementing systems that look at cybercrime in context to combat the growing breadth and intelligence of fraud following the widespread adoption of EMV in the U.S.”

And there are other issues that have cropped up like the one that has credit unions and retailers throwing verbal darts at each other. Specifically, who gets stuck with the tab when payment fraud does occur? In her piece on thehill.com, Elise Viebeck talks about what happened when the Food Marketing Institute (FMI) told card networks it would be a good idea to delay plans to shift liability for payment fraud to parties using “the least-secure” technology. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.

The war of words begins

The letter [from FMI] prompted a fierce response from the National Association of Federal Credit Unions (NAFCU), which criticized the group’s request in a letter to top lawmakers. “FMI is more concerned about the cost of complying with the EMV standards and how quickly they can process transactions than it is about consumers and doing everything they can to protect their customers from future breaches,” wrote NAFCU President and CEO Dan Berger. “FMI’s delay tactic is remarkable given the extraordinary number of merchant and retailer breaches that have occurred in recent months.”

Oh yeah!

[The] Retail Industry Leaders Association (RILA) fired back at the NAFCU, accusing financial institutions of rolling out chip-and-signature cards as opposed to chip-and-pin cards, which it called more secure. “Chip and PIN cards have become the mainstay in the rest of the industrialized world, sharply reducing fraud and cyber-attacks, while unfortunately making U.S. retailers and consumers the prime target for would-be hackers and credit thieves around the globe,” the group said. “NAFCU and others in the financial services industry have yet to adequately explain why they refuse to use readily available and proven technology to safeguard American consumers.” The RILA also said it has not called for a delay of the liability date.

The bottom line is who’s picking up the tab?

Financial institutions and retailers have long been at odds over who is responsible for data breaches and what should be done to fight them.

ThreatMetrix

ThreatMetrix

close btn