What’s Up in Washington

What’s Up in Washington
Nov 10, 2020

By: Liz Garner, VP, Merchant Advisory Group

September 8, 2014

Rewind to the first of the year, and one of the hottest topics in Congress was payment card breaches. Nine months later, several pieces of legislation have been introduced, numerous Congressional hearings have taken place, and various representatives - both from the government and private industry – have testified on payment card security and data breaches. But what has been accomplished? Furthermore, what’s on the horizon?

With only ten days on the fall Congressional schedule, and a limited lame-duck session after the November mid-term elections, there’s not much time left this year for Congress to act. In some ways, that’s a shame because Congress has a real opportunity to pass a federal data breach notification standard to help make the breach notification process more seamless for businesses and consumers.

Most retailers support the policy rationale for a federal breach notification standard, but as with any legislation, the devil is always in the details. 

Even when one talks about a notification standard, it is critical to equally cover all parties who are involved in managing and transmitting payment card information or other sensitive data to ensure everyone has the same incentives to keep the data as well-protected as possible. Several pieces of legislation introduced this Congress contain full exemptions for third-party service providers, wireless carriers, technology companies, networks, and financial institutions. These are all stakeholders who touch data in payment card transactions, and must have the same incentives merchants do to keep that transaction data secure irrespective of the other data security laws governing those entities.  The point here is that a payment card transaction “lives” in an ecosystem – and one that may get even more complicated with mobile payments – and that ecosystem is only as strong as the weakest link. 

So will merchants support a reasonable federal data breach notification solution? I absolutely think so as long as everyone in the payment ecosystem who touches a transaction is held to the same standards for protecting the sensitive data involved in that particular transaction. Without equal incentives to protect transaction data there will likely be a weakest link problem and everyone – especially consumers – will end up losing out in the end because the U.S. will not make the strides necessary to achieve better payment card data system protections.

That leads us to even bigger policy questions that lawmakers should be focused on. First, where are the shortfalls in the current system? Second, why do those shortfalls exist? And third, how can we get rid of those shortfalls?  Those are hugely important policy questions with very complicated answers, but there’s one basic place to start and that’s with oversight on who is creating the rules of the ecosystem and what incentives those groups have to roll out the best protections for businesses and consumers. Take for example technologies like tokenization – which replaces sensitive account number data with a ‘token’ that cannot be used in future transactions – and look at how those technologies are being deployed in the United States.

Only through an open, standards-based and accredited process should we be laying the groundwork for U.S. commerce, including mobile payments, for years to come.  Instead, MasterCard recently announced plans to roll out a proprietary solution. While MasterCard executives claim the impetus for rolling out the technology is to drive safer transactions through the network, they don’t hide that there’s a “revenue opportunity” there for their company.

And as with any legislation, the devil is in the details of the technology rollout. Payments consultant Steve Mott got it exactly right in a recent Digital Transactions article where he said one of the new MasterCard tokenization enablement fees being charged to issuers which, “may be using static tokens to accommodate issuers whose back-office systems aren’t ready to handle more secure, dynamic, or one-time-use tokens . . . ‘That gives security people palpitations. They dumbed it down to accommodate the least-capable banks.’”

So with that, I leave the question open as to whether it truly makes sense to exempt any payments stakeholder from future federal data breach legislation. It seems if we do, we’ll end up with technology solutions that will not protect businesses and consumers to the greatest degree possible, and U.S. commerce and consumer confidence will struggle as we move to payments in emerging technology platforms, such as mobile.
The Merchant Advisory Group

Driving positive change and innovation in the payments industry that serves the merchants interest through collaboration, education, and advocacy.