WASHINGTON (11/4/14)--Credit unions are willing to join collaborative efforts to improve payment security, but only if merchants agree to meet the same security standards financial institutions are subject to.
That's the message in a letter to six retail trade organizations sent jointly by the Credit Union National Association and the National Association of Federal Credit Unions.
With two major data breaches at Home Depot and Target costing credit unions at least $90 million, CUNA and NAFCU are reiterating the need for merchant security standards in order to find solutions that "will minimize such breaches and the costs credit unions must incur in their wake."
Credit unions and other financial institutions are bound under the Gramm-Leach-Bliley Act to adhere to strict federal data security standards, while merchants are not.
"Merchants and financial institutions both play critical roles in the payments system and they should be held to similar standards with respect to protecting consumer data. The weak link in the system today is on the merchant end," reads the letter, signed by CUNA President/CEO Jim Nussle and NAFCU President/CEO Dan Berger. "We continue to work with our members to deploy new technology, but as long as the security standards on the merchant side of the system are weaker than those on the financial institution side of the system, the vulnerability for consumers and financial institutions will be at your feet."
The two organizations agree with the merchants' notion that improved technology can reduce fraud and strengthen data security, but believe more measures are needed.
"In order for consumers to be more reasonably protected, advances in technology must be accompanied by merchants' compliance with federal standards for the safe keeping of financial data, cost liabilities and breach notifications in the event of an attack," the letter reads. "This is reasonable and the right thing to do."
The letter was sent in response to one sent last week by the heads of the Retail Industry Leaders Association, National Association of Convenience Stores, National Retail Federation, National Grocers Association, Food Marketing Institute and Merchant Advisory group.
In that letter, merchants claimed credit unions were the only holdout to a merchant-financial services cybersecurity partnership.
According to CUNA and NAFCU, both organizations considered joining the partnership several months ago, but "concluded that discussions simply would not be productive as long as merchants are not willing to do their part to safeguard financial data."