The war of words over whether the U.S. federal government should beef up regulation of retailers’ data security got another salvo from a credit-union organization last week, in a letter telling congressional leaders that retailers should be regulated like financial institutions.
“Congress must act to ensure technology standards are accompanied by strong data safekeeping standards for merchants and retailers akin to what credit unions comply with under the Gramm-Leach-Bliley Act,” National Association Of Federal Credit Unions (NAFCU) CEO Dan Berger said in letters dated April 2, 2015, and addressed to Senate and House leaders, Credit Union Times reported.
The letter was part of an ongoing set of lobbying campaigns by trade groups of retailer and financial institutions, trying to influence proposed legislation intended to do something about the increasing costs and frequency of data breaches, especially those involving payment cards.
For example, in mid-March the National Retail Federation sent lawmakers a white paper by two former U.S. Federal Trade Commission officials that argues the FTC, which enforces the Gramm-Leach-Bliley Act’s data-security requirements for banks, isn’t equipped to add millions of merchants to the roughly 13,000 financial institutions they oversee under the law.
Berger linked his letter to an apparently unrelated letter from the Food Marketing Institute, a grocers’ trade group, to Visa, MasterCard, Discover and American Express, asking that the Oct. 1, 2015, EMV liability shift be delayed for merchants whose EMV rollouts are in progress but are being stymied by delays in EMV standards from card brands and equipment deliveries by payment-device vendors.
“FMI’s delay tactic is remarkable given the extraordinary number of merchant and retailer breaches that have occurred in recent months coupled with the intense interest in preventing breaches from lawmakers and the regulatory agencies,” Berger wrote, adding that “Congress should not be fooled by these groups’ unscrupulous tactics and falsehoods.”
The FMI’s March 23 letter, signed by FMI CEO Leslie Sarasin, claimed that there is a 16-week backlog in EMV device orders from point-of-sale vendors, and that card brands’ delays in releasing specifications have delayed retailer rollouts. It said one of its member supermarket chains was recently informed that its already installed EMV terminals “will not be certified until June 2015” and that an additional two months will be required after that to individually upgrade the devices in stores.
The group also pointed out that the Oct. 1 deadline comes at the beginning of the holiday season. “FMI asks that you consider the time of year for which this shift is scheduled and allow a delay until August 2016, or a time that would work well in an actual retail setting,” the letter said.