Massachusetts Bankers Assn Responds To TJX Data Breach

Retailers, upon processing a debit or credit card purchase -- that is, verifying that the information on a card is correct, and that customers have money or credit in their accounts -- are prohibited by card network rules from retaining that information. “After the transaction clears,” said Forte, “there is no reason to store any data.”

TJX has not indicated what data it routinely captures, but the range of problematic data includes account numbers, expiration dates, personal identification numbers, and other verification information. “The company did indicate,” said Forte, “that driver’s license information may have been captured and exposed.”

Two years ago, after a data breach that occurred at BJ’s Wholesales Club, the MBA established the New England Debit Card Task Force. The group, consisting of the banking trade associations from the New England states, individual community bankers, representatives from the American Bankers Association, the America’s Community Bankers, the Independent Community Bankers of America, and the California Bankers Association, has been meeting frequently to address this very issue and develop ways to moderate fraud. The task force has worked closely with Visa and Mastercard, engaging in dialogue centered on protecting consumers and seeking to moderate the impact and the costs that banks must bear when such data breaches occur.

“Visa and MasterCard have both been increasing fines and penalties for retailers when violations such as this are uncovered,” said Forte. “Moreover, in Massachusetts,” added Forte, “through the work of the Debit Card Task Force, we have been leading an effort to manage the impact of fraud on consumers and our banks when it occurs due to a retailer’s data breach. We are strongly supporting recent legislation in Massachusetts that would place the liability for the expenses that banks must bear in the hands of the retailers at fault. We hope that long term, this approach would be the motivation that retailers need to enhance the security of their systems and protect consumers, as well as your local bank. While expensive for all banks, Ninety-five percent of the banks in Massachusetts are community banks, and these costs can be particularly tough for smaller banks and credit unions to absorb.”

Forte explained that when a bank must issue new cards due to a retailer’s data breach, it can add up to a significant expense considering that thousands of cards could be involved. “MasterCard, and now Visa, has in place a process for banks to make claims for the cost of re-issuing cards,” he said, “however, there is no guarantee that the full amount will be reimbursed. Additionally, there is the fraud issue. If a fraud does take place, MasterCard and Visa have a zero liability policy in place for the benefit of consumers, which is good. However, the cost is borne by the bank even if the retailer is responsible for a major violation of the card association rules resulting in fraud. Does this make sense?”

Forte added, “Bottom line, we believe it is critical that the card associations – Visa, MasterCard, etc. – and public officials carefully evaluate whether retailers should be held liable for a data breach, particularly when the information being stored is in violation of card network rules.”

The New England Debit Card Task Force, following the breach involving BJ’s Wholesale Club, began advocating a number of steps to enhance security. Its major recommendations include:

1. Notification – Giving banks the ability to notify customers on a timely basis;
2. Liability for the Fraud – Retailers should be held accountable, at present banks absorb the cost;
3. Full Reimbursement for card re-issue – This cost if not fully covered can be significant for banks;
4. Stronger Encryption Standards and Data Capture Limits – a must to protect consumers.

Although the MBA expects the number of banks and exposed cardholders in the TJX incident to rise, the MBA is telling customers not to worry. “You may not be in the affected group,” said Forte. “There is no reason to contact your bank. It will reach out to you if there is a problem. This is a situation that was not caused by your bank but you should know, if your information was exposed, we are working hard on your behalf. If you are notified that you are in the impacted group, remember just because your data was exposed, fraud may not occur. Nonetheless, it’s a good idea to check your statements and balances regularly, and order a credit report which you can receive free of charge once a year.”