Breaches Expose Payments System FlawsABA Seeks Greater Checks, Balances Throughout Cycle
"Everyone in the payments space needs to ensure security," says Kenneally, vice president of the ABA's Center for Regulatory Compliance and Financial Policy and Regulatory Affairs. "In December, one retailer [Target Corp.] was breached and it could affect over 100 million accounts" (see Target Breach: 70 Million Affected).
Most recently, luxury retailer Neiman Marcus acknowledged that it, too, had suffered a data breach of undetermined proportions (see Neiman Marcus Confirms Card Breach). These incidents cost banking institutions millions of dollars in detection, recovery and card-reissuance expenses, Kenneally says during this interview with Information Security Media Group. But where is the accountability throughout the rest of the payments chain?
"Banks are highly regulated," Kenneally says. "They have requirements they have to meet, and they are examined regularly by the agencies to make sure they are following the regulations. On the flip side, it's a lot less clear what regulations and rules and standards [merchants] have to follow and who's checking to see that they're actually doing it."
Coincidentally, the U.S. Federal Reserve this past fall issued a report, Payment System Improvement - Public Consultation Paper, suggesting improvements and enhancements to the U.S. payments landscape. In response, the ABA is pushing the Fed and federal legislators to focus on the types of checks and balances that can enhance security throughout the payments chain.
"If entities are processing information that could compromise a consumer's account, then they need to be secure," Kenneally says.
In its paper, the Fed notes: "The U.S. payment system is undergoing a remarkable period of change, driven by rapid adoption of technology and evolving end-user expectations. Going forward, opportunity exists to improve speed and efficiency of payments and to maintain payment system safety in the face of escalating threats."
Kenneally says the ABA supports the need for faster payments. But as the recent retail breaches have shown, figuring out how to ensure ongoing security of those payments is the greater priority for the banking industry.
Consumer safety "has to be the lead attribute" to any changes made to the U.S. payments system, Kenneally says. And the ABA wants to know that banking institutions won't be shouldering all the financial burden when and if card data is breached.
"Payments are important," he says. "Consumers need to be protected, and the system needs to be protected. And if you are in the payments chain, you need to be following the same rules as everyone else."
During this interview, Kenneally discusses:
- Consumer protections for credit and debit breaches;
- The roles financial and non-financial actors play in payments security;
- Steps the ABA is taking to educate banking institutions about the Fed's proposed changes to the U.S. payments infrastructure.
Kenneally works in the Center for Regulatory Compliance at ABA on issues related to legacy payment systems including check, ACH, card and wires, as well as emerging payment technologies, such as digital wallets, virtual currency and peer-to-peer payments. He is the staff liaison to two standing member committees focused on payments issues, in addition to ABA's Emerging Payments Advisory Group. Before joining the ABA in 2005, Kenneally worked at the U.S. Department of the Treasury, where he managed the private network of banks collecting non-tax payments on behalf of the federal government and drafted regulations and guidance on cash management issues.