The recent data breaches occurring at large retailers have spurred thousands of headlines, as well as significant interest from elected officials both in Sacramento and in Washington, D.C.
These breaches underscore the vulnerabilities in our payments system, and have also raised the issue of who should be responsible for the costs associated with strengthening the security of the system.
Our payments system consists of several entities: banks, card networks, retailers and processors. Protecting this system should be a shared responsibility of all parties involved and each entity must invest the necessary resources to address increasing threats designed to breach the payments system.
When data breaches occur, a bank's first priority is to protect consumers from fraud caused by the breach and keep them whole financially.
When a retailer speaks of its customers having "zero liability" from fraudulent transactions, it is because our nation's banks are providing that relief -- not the retailer that suffered the breach.
When a data breach occurs, banks absorb the costs associated with monitoring accounts for indications of suspicious activity, blocking and reissuing cards, and also reimburse consumers for all confirmed fraudulent transactions.
According to the Consumer Bankers Association, in response to just one of the recent data breaches, its member banks have reissued more than 17 million credit cards at a cost of more than $172 million.
Banks understand that a critical issue for consumers is the security of their personal information. Banks already dedicate hundreds of millions of dollars annually toward data security, and unlike retailers, banks are also subject to robust regulatory oversight and examination at both the federal and state levels.
As evidenced by the recent breaches, criminals are becoming increasingly advanced in their efforts to infiltrate the payments system, requiring all participants in the system to invest the necessary resources to combat what is a dynamic and ever-evolving threat.
Extensive efforts are already underway to improve card security, including the implementation of EMV (chip-and-PIN-based technology) standards set to be in place by October 2015.
EMV technology improves current security by helping prevent fraud at the cash register, known as point-of-sale, or POS. EMV embeds cards with a microprocessor chip, making it harder to commit the same types of fraud seen with magnetic stripes.
Europe, which widely uses this type of technology, has seen a significant decrease in counterfeit card fraud. But making the switch by 2015 requires merchants to make a substantial financial investment to upgrade their own card-reading equipment, which has generated resistance from some in the retail industry.
While upgrading technology at POS terminals will help address potential fraud at the cash register, it will not address all problems, including online security where a majority of the fraud has migrated to.
As policymakers in Sacramento contemplate new measures to protect consumers' personal information, it is important to understand that threats to data security are ever-changing and that it is difficult to anticipate what new challenges the future will bring.
Policymakers should refrain from embracing any one solution or technology as the answer to any one concern, because as the threat evolves so too must our efforts to combat fraud and data theft. Instead, we would hope that they encourage all interested parties to continue working together and invest the necessary resources to combat increasingly sophisticated threats with a common goal of protecting consumers and fighting fraud.
Rodney K. Brown is president and CEO of the California Bankers Association. Established more than 123 years ago, the California Bankers Association is one of the largest state banking trade associations in the country. CBA represents the majority of California's commercial, industrial and community banks and savings associations.