SlideShare a Scribd company logo

Credit unions respond to data breaches NCUA letter

David Sweigert
David Sweigert

Posted as a courtesy by: David Sweigert Security+ CISSP CISA HCSIPP Associate PMP Risk assessment and security junkie

Business
1 of 5
1 October 30, 2014 Mr. Jim Nussle President and CEO Credit Union National Association 601 Pennsylvania Ave NW, South Bldg. Washington DC 20004 Mr. Dan Berger President and CEO National Association of Federal Credit Unions 3138 10th Street North Arlington, VA 22201 Dear Mr. Nussle and Mr. Berger, We are writing to address a number of misleading and factually inaccurate points perpetuated by the Credit Union National Association (CUNA), the National Association of Federal Credit Unions (NAFCU) and other state credit union associations in the media and before Congress in regards to the state of cybersecurity in our country. As parts of the same payment ecosystem, it is important that our shared goals remain the improvement of cybersecurity and protection of consumers. To begin with, we would like to take this opportunity to dispel a few misconceptions which seem to have arisen regarding recent cyber-attacks and the response by retailers and financial institutions. These misconceptions are as follows:  Data breaches only – or disproportionately – affect retail merchants. We know that this can be easily disproved by both empirical evidence and recent high-profile occurrences. When the 2014 Verizon Data Breach Investigations Report analyzed 1,367 data- loss incidents last year, they found that 465 (roughly 34 percent) took place at financial institutions, while fewer than 150 (less than 11 percent) affected retailers. Furthermore, the recent breach at J.P. Morgan Chase & Co. – one of the largest financial institutions in the world – is reported to have compromised the information of some 76 million households and 7 million businesses. And, as the USA Today reported on its front page October 20th, “Federal officials warned companies Monday that hackers have stolen more than 500 million financial records over the past 12 months, essentially breaking into banks without ever entering a building.” It is important to realize that both retailers and financial institution have been affected by cyber-attacks and both likely will be again.  Retailers do not share the costs incurred by card fraud. A 2013 study by the Federal Reserve looked at fraud instances associated with use of debit cards and found that retailers do share the costs incurred as a result of card fraud. In fact, costs were shown to be borne almost equally among retailers and card-issuing institutions.
2 These vary by transaction: for more secure PIN debit transactions the card issuer, naturally, absorbed a greater share of the fraud; for less secure signature debit transactions the merchants absorbed nearly half of all fraud losses; and for card-not-present debit transactions (transactions made online, over the telephone or by catalogue) merchants bore a greater percentage of fraud losses than card issuers did. And, merchants pay the cost of card fraud in advance, through swipe fees, before fraud is ever incurred. In fact, even the Federal Reserve’s debit card regulations are geared to provide that the average issuer has one hundred percent of its debit fraud losses covered by swipe fees. Moreover, even after absorbing substantial fraud losses, merchants are subject to massive fines by Visa and MasterCard networks and hundreds of millions of dollars in restitution through private litigation for cybersecurity breaches.  Retailers do not contribute to the costs of issuing new cards to consumers after a data breach. Merchants do, in fact, reimburse card issuers for both card reissuance and actual fraud losses following a breach based on many factors, including: the number of cards requiring reissuance, the incremental fraud associated with each individual card, and the age of the card and when it was due for reissuance, regardless of a breach. These schedules are contractually agreed upon by Visa and MasterCard and your credit union members. Merchants do not have a say in these reimbursement requirements. For example, MasterCard reimburses card issuers on the following schedule for card reissuance: This chart clearly demonstrates that a credit union with assets of under $200 million is eligible to receive a higher reimbursement rate than its larger competitors. Additionally, if there is fraud associated with the card, card issuers are again eligible for a separate fraud adjustment reimbursement. To support our insistence that CUNA and NAFCU stop repeating such false statements as “merchants bear NONE of the costs to issue…new credit and debit cards,” “merchants pay nothing when they lose my personal data, [and so] they have no reason to make their data
3 protection standards more stringent,” and “when the merchants cause a data breach, they just pass along all the costs…to my credit union,” we bring to your attention the specific sections of MasterCard’s operating rules where these sections may be found: 6.4.1 ADC Operational Reimbursement Factors, MasterCard Account Data Compromise User Guide, July 22, 2012. Of course, Visa maintains similar schedules to which your credit unions have contractually agreed to as well.  Retail merchants leave the burden of customer security exclusively up to credit unions and banks. Just as data breaches are a shared threat, protecting against them is a shared responsibility. Merchants spend more than $6 billion annually on data security. And retailers already employ a number of methods to protect against card fraud, including: o PIN prompting at the point-of-sale for debit cards o Card Verification Value (CVV) prompting for Internet purchases o Address/ZIP code verification o Automated transaction scoring o Data encryption o Data tokenization o Internet Protocol (IP) address/geolocation authentication Merchants pay financial institutions extra fees for some of these services. And, in addition to the safeguards listed above, retailers are proactively leading the way in advancing technology that would significantly increase protection for consumers: Chip-and-PIN payment cards. The volume of cyber-attacks has become particularly intense because the antiquated and woefully inadequate magnetic stripe technology still in place today. As issuing banks in nearly every other G-20 nation have migrated away from this 1960s-era technology to a substantially more secure technology, known as Chip-and-PIN, cybercrime and fraud have migrated to the United States. Retailers are on track to have completed an enormous investment in order to be able to accept Chip cards next year. Yet, there is still little promise that card issuers will issue such cards. In fact, financial institutions trail merchants on these technology updates in the United States and around the globe. Outside of the U.S., 70 percent of merchants have upgraded to Chip-and-PIN devices at the point-of-sale, but only 40 percent of the cards have been upgraded. That is similar to the situation here in the United States where nearly 20 percent of merchants have upgraded their terminals but less than one percent of the cards issued contain the new technology. Moreover, card issuers in the United States intend to begin issuing chip cards without requiring PINs, a feature that is proven to reduce fraud by 700 percent on debit cards alone. If this occurs, it will result in an inexcusable lapse which threatens to make billions of dollars in merchant upgrades ineffective. It is difficult to ignore the benefits of PINs for enhanced security when credit unions themselves require them for withdrawals at their own ATMs.
4 Reportedly, credit unions will not be issuing chip cards by the timelines set by the financial industry. According to the Credit Union Times, more than half of all credit unions are expected to miss an October 2015 date to issue cards equipped with chips. In discussing the migration to payment cards with chips, Barney Moore, manager of card consulting services for Card Services for Credit Unions (CSCU), an association of credit unions affiliated with payment processor FIS, recently told the Credit Union Times, “it seems unlikely that they [credit unions] will have gotten it done by next October.” Moore cited concerns about “costs, delays in ironing out technical details and bottlenecks among plastic card suppliers” as reasons credit unions could miss the mark. If merchants will collectively be spending $30 billion to upgrade their terminals by October 2015, it is unfathomable that credit unions are not willing to upgrade magnetic stripe cards, which cost $1 to issue, to more secure chip cards, which only cost an additional $3 to issue. Protecting our customers is a shared interest and we must all work to ensure the highest level of security possible. Instead of engaging in finger-pointing, all participants in the payments ecosystem must put in place measures that are effective, be vigilant, and embrace collaborative public-private partnerships that are available and proven to work. The bottom line is that consumers and accountholders deserve solutions, not posturing and misinformation. For these reasons, the merchant community is working together with many within the financial services industry to strengthen protections for consumers. The Merchant-Financial Services Cyber Security Partnership is a collaborative effort that has brought together more than 250 executives from all segments of the merchant and financial services communities to work with their peers to protect their shared customers. Unfortunately, while retailers, restaurants, convenience stores, hotels, national banks, card networks and community banks have joined the Partnership, one constituency has still not seen fit to participate: credit unions. It is past time we started working together for the greater good of America’s consumers. Sincerely, Sandra L. Kennedy Henry Armour President President and CEO Retail Industry Leaders Association National Association of Convenience Stores Matthew R. Shay Peter J. Larkin President and CEO President and CEO National Retail Federation National Grocers Association Leslie G. Sarasin, Esq., CAE Mark Horwedel President and CEO CEO Food Marketing Institute Merchant Advisory Group
5

Recommended

Team Profile for Skyline
Team Profile for SkylineTeam Profile for Skyline
Team Profile for Skyline
Hu Hai
 
10. 1946
10. 194610. 1946
10. 1946nowadeba
 
Plots in Neemrana-Behror,8459137252
Plots in Neemrana-Behror,8459137252Plots in Neemrana-Behror,8459137252
Plots in Neemrana-Behror,8459137252
sahilkharkara5
 
diabete
diabetediabete
diabeteMassimo Masserini
 
9.1940 45
9.1940 459.1940 45
9.1940 45nowadeba
 
BRING BACK PICTURE FRAMES
BRING BACK PICTURE FRAMESBRING BACK PICTURE FRAMES
BRING BACK PICTURE FRAMESReal estate
 
8. 1922
8. 19228. 1922
8. 1922nowadeba
 
Thanh nien voi tinh ban tinh yeuth
Thanh nien voi tinh ban tinh yeuthThanh nien voi tinh ban tinh yeuth
Thanh nien voi tinh ban tinh yeuth
Tu Sedo
 

Recommended

Team Profile for Skyline
Team Profile for SkylineTeam Profile for Skyline
Team Profile for Skyline
Hu Hai
 
10. 1946
10. 194610. 1946
10. 1946nowadeba
 
Plots in Neemrana-Behror,8459137252
Plots in Neemrana-Behror,8459137252Plots in Neemrana-Behror,8459137252
Plots in Neemrana-Behror,8459137252
sahilkharkara5
 
diabete
diabetediabete
diabeteMassimo Masserini
 
9.1940 45
9.1940 459.1940 45
9.1940 45nowadeba
 
BRING BACK PICTURE FRAMES
BRING BACK PICTURE FRAMESBRING BACK PICTURE FRAMES
BRING BACK PICTURE FRAMESReal estate
 
8. 1922
8. 19228. 1922
8. 1922nowadeba
 
Thanh nien voi tinh ban tinh yeuth
Thanh nien voi tinh ban tinh yeuthThanh nien voi tinh ban tinh yeuth
Thanh nien voi tinh ban tinh yeuth
Tu Sedo
 
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
David Sweigert
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
David Sweigert
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
David Sweigert
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
David Sweigert
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
David Sweigert
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
David Sweigert
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
David Sweigert
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
David Sweigert
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
David Sweigert
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
David Sweigert
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public Comment
David Sweigert
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
David Sweigert
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
David Sweigert
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
David Sweigert
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
David Sweigert
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd edition
David Sweigert
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
David Sweigert
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
David Sweigert
 
Set off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptxSet off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptx
HARSHITHV26
 
Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
Aggregage
 

More Related Content

More from David Sweigert

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
David Sweigert
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
David Sweigert
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
David Sweigert
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
David Sweigert
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
David Sweigert
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
David Sweigert
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
David Sweigert
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
David Sweigert
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
David Sweigert
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
David Sweigert
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public Comment
David Sweigert
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
David Sweigert
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
David Sweigert
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
David Sweigert
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
David Sweigert
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd edition
David Sweigert
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
David Sweigert
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
David Sweigert
 

More from David Sweigert (20)

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public Comment
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd edition
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
 

Recently uploaded

Set off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptxSet off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptx
HARSHITHV26
 
Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
Aggregage
 
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesEvent Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Holger Mueller
 
Auditing study material for b.com final year students
Auditing study material for b.com final year studentsAuditing study material for b.com final year students
Auditing study material for b.com final year students
narasimhamurthyh4
 
Top mailing list providers in the USA.pptx
Top mailing list providers in the USA.pptxTop mailing list providers in the USA.pptx
Top mailing list providers in the USA.pptx
JeremyPeirce1
 
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBdCree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
creerey
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
FelixPerez547899
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
Cynthia Clay
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
agatadrynko
 
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
taqyed
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Arihant Webtech Pvt. Ltd
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
dylandmeas
 
Authentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto RicoAuthentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto Rico
Corey Perlman, Social Media Speaker and Consultant
 
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdf
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdfBài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdf
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdf
daothibichhang1
 
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.docBài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc
daothibichhang1
 
ikea_woodgreen_petscharity_dog-alogue_digital.pdf
ikea_woodgreen_petscharity_dog-alogue_digital.pdfikea_woodgreen_petscharity_dog-alogue_digital.pdf
ikea_woodgreen_petscharity_dog-alogue_digital.pdf
agatadrynko
 
Agency Managed Advisory Board As a Solution To Career Path Defining Business ...
Agency Managed Advisory Board As a Solution To Career Path Defining Business ...Agency Managed Advisory Board As a Solution To Career Path Defining Business ...
Agency Managed Advisory Board As a Solution To Career Path Defining Business ...
Boris Ziegler
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
balatucanapplelovely
 
Recruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media MasterclassRecruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media Masterclass
LuanWise
 

Recently uploaded (20)

Set off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptxSet off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptx
 
Understanding User Needs and Satisfying Them
Understanding User Needs and Satisfying ThemUnderstanding User Needs and Satisfying Them
Understanding User Needs and Satisfying Them
 
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesEvent Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challenges
 
Auditing study material for b.com final year students
Auditing study material for b.com final year studentsAuditing study material for b.com final year students
Auditing study material for b.com final year students
 
Top mailing list providers in the USA.pptx
Top mailing list providers in the USA.pptxTop mailing list providers in the USA.pptx
Top mailing list providers in the USA.pptx
 
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBdCree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
 
Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024Company Valuation webinar series - Tuesday, 4 June 2024
Company Valuation webinar series - Tuesday, 4 June 2024
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdfikea_woodgreen_petscharity_cat-alogue_digital.pdf
ikea_woodgreen_petscharity_cat-alogue_digital.pdf
 
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
一比一原版加拿大渥太华大学毕业证(uottawa毕业证书)如何办理
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
 
Authentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto RicoAuthentically Social by Corey Perlman - EO Puerto Rico
Authentically Social by Corey Perlman - EO Puerto Rico
 
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdf
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdfBài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdf
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc.pdf
 
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.docBài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc
Bài tập - Tiếng anh 11 Global Success UNIT 1 - Bản HS.doc
 
ikea_woodgreen_petscharity_dog-alogue_digital.pdf
ikea_woodgreen_petscharity_dog-alogue_digital.pdfikea_woodgreen_petscharity_dog-alogue_digital.pdf
ikea_woodgreen_petscharity_dog-alogue_digital.pdf
 
Agency Managed Advisory Board As a Solution To Career Path Defining Business ...
Agency Managed Advisory Board As a Solution To Career Path Defining Business ...Agency Managed Advisory Board As a Solution To Career Path Defining Business ...
Agency Managed Advisory Board As a Solution To Career Path Defining Business ...
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...The effects of customers service quality and online reviews on customer loyal...
The effects of customers service quality and online reviews on customer loyal...
 
Recruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media MasterclassRecruiting in the Digital Age: A Social Media Masterclass
Recruiting in the Digital Age: A Social Media Masterclass
 

Credit unions respond to data breaches NCUA letter

  • 1. 1 October 30, 2014 Mr. Jim Nussle President and CEO Credit Union National Association 601 Pennsylvania Ave NW, South Bldg. Washington DC 20004 Mr. Dan Berger President and CEO National Association of Federal Credit Unions 3138 10th Street North Arlington, VA 22201 Dear Mr. Nussle and Mr. Berger, We are writing to address a number of misleading and factually inaccurate points perpetuated by the Credit Union National Association (CUNA), the National Association of Federal Credit Unions (NAFCU) and other state credit union associations in the media and before Congress in regards to the state of cybersecurity in our country. As parts of the same payment ecosystem, it is important that our shared goals remain the improvement of cybersecurity and protection of consumers. To begin with, we would like to take this opportunity to dispel a few misconceptions which seem to have arisen regarding recent cyber-attacks and the response by retailers and financial institutions. These misconceptions are as follows:  Data breaches only – or disproportionately – affect retail merchants. We know that this can be easily disproved by both empirical evidence and recent high-profile occurrences. When the 2014 Verizon Data Breach Investigations Report analyzed 1,367 data- loss incidents last year, they found that 465 (roughly 34 percent) took place at financial institutions, while fewer than 150 (less than 11 percent) affected retailers. Furthermore, the recent breach at J.P. Morgan Chase & Co. – one of the largest financial institutions in the world – is reported to have compromised the information of some 76 million households and 7 million businesses. And, as the USA Today reported on its front page October 20th, “Federal officials warned companies Monday that hackers have stolen more than 500 million financial records over the past 12 months, essentially breaking into banks without ever entering a building.” It is important to realize that both retailers and financial institution have been affected by cyber-attacks and both likely will be again.  Retailers do not share the costs incurred by card fraud. A 2013 study by the Federal Reserve looked at fraud instances associated with use of debit cards and found that retailers do share the costs incurred as a result of card fraud. In fact, costs were shown to be borne almost equally among retailers and card-issuing institutions.
  • 2. 2 These vary by transaction: for more secure PIN debit transactions the card issuer, naturally, absorbed a greater share of the fraud; for less secure signature debit transactions the merchants absorbed nearly half of all fraud losses; and for card-not-present debit transactions (transactions made online, over the telephone or by catalogue) merchants bore a greater percentage of fraud losses than card issuers did. And, merchants pay the cost of card fraud in advance, through swipe fees, before fraud is ever incurred. In fact, even the Federal Reserve’s debit card regulations are geared to provide that the average issuer has one hundred percent of its debit fraud losses covered by swipe fees. Moreover, even after absorbing substantial fraud losses, merchants are subject to massive fines by Visa and MasterCard networks and hundreds of millions of dollars in restitution through private litigation for cybersecurity breaches.  Retailers do not contribute to the costs of issuing new cards to consumers after a data breach. Merchants do, in fact, reimburse card issuers for both card reissuance and actual fraud losses following a breach based on many factors, including: the number of cards requiring reissuance, the incremental fraud associated with each individual card, and the age of the card and when it was due for reissuance, regardless of a breach. These schedules are contractually agreed upon by Visa and MasterCard and your credit union members. Merchants do not have a say in these reimbursement requirements. For example, MasterCard reimburses card issuers on the following schedule for card reissuance: This chart clearly demonstrates that a credit union with assets of under $200 million is eligible to receive a higher reimbursement rate than its larger competitors. Additionally, if there is fraud associated with the card, card issuers are again eligible for a separate fraud adjustment reimbursement. To support our insistence that CUNA and NAFCU stop repeating such false statements as “merchants bear NONE of the costs to issue…new credit and debit cards,” “merchants pay nothing when they lose my personal data, [and so] they have no reason to make their data
  • 3. 3 protection standards more stringent,” and “when the merchants cause a data breach, they just pass along all the costs…to my credit union,” we bring to your attention the specific sections of MasterCard’s operating rules where these sections may be found: 6.4.1 ADC Operational Reimbursement Factors, MasterCard Account Data Compromise User Guide, July 22, 2012. Of course, Visa maintains similar schedules to which your credit unions have contractually agreed to as well.  Retail merchants leave the burden of customer security exclusively up to credit unions and banks. Just as data breaches are a shared threat, protecting against them is a shared responsibility. Merchants spend more than $6 billion annually on data security. And retailers already employ a number of methods to protect against card fraud, including: o PIN prompting at the point-of-sale for debit cards o Card Verification Value (CVV) prompting for Internet purchases o Address/ZIP code verification o Automated transaction scoring o Data encryption o Data tokenization o Internet Protocol (IP) address/geolocation authentication Merchants pay financial institutions extra fees for some of these services. And, in addition to the safeguards listed above, retailers are proactively leading the way in advancing technology that would significantly increase protection for consumers: Chip-and-PIN payment cards. The volume of cyber-attacks has become particularly intense because the antiquated and woefully inadequate magnetic stripe technology still in place today. As issuing banks in nearly every other G-20 nation have migrated away from this 1960s-era technology to a substantially more secure technology, known as Chip-and-PIN, cybercrime and fraud have migrated to the United States. Retailers are on track to have completed an enormous investment in order to be able to accept Chip cards next year. Yet, there is still little promise that card issuers will issue such cards. In fact, financial institutions trail merchants on these technology updates in the United States and around the globe. Outside of the U.S., 70 percent of merchants have upgraded to Chip-and-PIN devices at the point-of-sale, but only 40 percent of the cards have been upgraded. That is similar to the situation here in the United States where nearly 20 percent of merchants have upgraded their terminals but less than one percent of the cards issued contain the new technology. Moreover, card issuers in the United States intend to begin issuing chip cards without requiring PINs, a feature that is proven to reduce fraud by 700 percent on debit cards alone. If this occurs, it will result in an inexcusable lapse which threatens to make billions of dollars in merchant upgrades ineffective. It is difficult to ignore the benefits of PINs for enhanced security when credit unions themselves require them for withdrawals at their own ATMs.
  • 4. 4 Reportedly, credit unions will not be issuing chip cards by the timelines set by the financial industry. According to the Credit Union Times, more than half of all credit unions are expected to miss an October 2015 date to issue cards equipped with chips. In discussing the migration to payment cards with chips, Barney Moore, manager of card consulting services for Card Services for Credit Unions (CSCU), an association of credit unions affiliated with payment processor FIS, recently told the Credit Union Times, “it seems unlikely that they [credit unions] will have gotten it done by next October.” Moore cited concerns about “costs, delays in ironing out technical details and bottlenecks among plastic card suppliers” as reasons credit unions could miss the mark. If merchants will collectively be spending $30 billion to upgrade their terminals by October 2015, it is unfathomable that credit unions are not willing to upgrade magnetic stripe cards, which cost $1 to issue, to more secure chip cards, which only cost an additional $3 to issue. Protecting our customers is a shared interest and we must all work to ensure the highest level of security possible. Instead of engaging in finger-pointing, all participants in the payments ecosystem must put in place measures that are effective, be vigilant, and embrace collaborative public-private partnerships that are available and proven to work. The bottom line is that consumers and accountholders deserve solutions, not posturing and misinformation. For these reasons, the merchant community is working together with many within the financial services industry to strengthen protections for consumers. The Merchant-Financial Services Cyber Security Partnership is a collaborative effort that has brought together more than 250 executives from all segments of the merchant and financial services communities to work with their peers to protect their shared customers. Unfortunately, while retailers, restaurants, convenience stores, hotels, national banks, card networks and community banks have joined the Partnership, one constituency has still not seen fit to participate: credit unions. It is past time we started working together for the greater good of America’s consumers. Sincerely, Sandra L. Kennedy Henry Armour President President and CEO Retail Industry Leaders Association National Association of Convenience Stores Matthew R. Shay Peter J. Larkin President and CEO President and CEO National Retail Federation National Grocers Association Leslie G. Sarasin, Esq., CAE Mark Horwedel President and CEO CEO Food Marketing Institute Merchant Advisory Group
  • 5. 5