On September 13 and 14, 2006, the Payment Cards Center and the Electronic Funds Transfer Association (EFTA) hosted a conference entitled “Information Security, Data Breaches, and Protecting Cardholder Information: Facing Up to the Challenges.” The two-day event was designed to bring together a diverse set of stakeholders from the U.S. payments industry to discuss a framework to guide industry practices and inform public policy. In attendance were individuals from the major payment networks, card issuers, and banks, as well as consumer and merchant representatives and regulators.
The conference sessions addressed two fundamental questions. First, what can be done to more effectively ensure data security throughout the entire payments chain? Second, should a breach occur, what are the appropriate actions that should be taken to protect consumers and mitigate risks associated with any compromised data?
These issues have come to the fore because a variety of breaches from a number of firms have been widely publicized in the media. Consequently, they have become a topic of debate in Washington and state capitals across the country. Breaches threaten to undermine a fundamental underpinning of the payments industry: consumer confidence in the industry’s ability to protect and safeguard sensitive customer information. A related discussion covered the concurrent need for hard data to critically evaluate the severity of the perceived threat and increase public understanding of the real nature of the threat. Intertwined were discussions as to how these issues might be reflected in the emerging legal and regulatory framework.
Charles I. Plosser, president of the Federal Reserve Bank of Philadelphia, opened the conference on Wednesday afternoon. He focused the audience’s attention on how advances in technology and changes in regulation are altering the payments landscape. These changes are of interest to a variety of participants and stakeholders, including the Federal Reserve System. Plosser introduced Bruce J. Summers, director of Federal Reserve Information Technology (FRIT), whose keynote address elaborated on these implications.
Summers oversees the area of the Federal Reserve responsible for standards and information architecture used throughout the Federal Reserve System. He described how the fiduciary responsibilities of commercial banks and the Federal Reserve Banks have grown along with the advent of electronic banking and the increased reliance on information technology. Summers framed his discussion of security by examining best practices for safeguarding information security in three forms: information “at rest,” that is, stored on a bank’s computer; information “in transit,” that is, on the move over networks; and “information traveling,” that is, on a laptop or other movable storage device.
Summers’s address was followed by a panel discussion, “Baseline Issues for Payments Participants: Setting the Stage,” which incorporated perspectives of banks, merchants, networks, and technology providers. The panelists warned that consumer confidence is under siege because of real and perceived threats. At the same time, while fraud does exist, widespread misunderstanding of the practical issues is a comparable concern. Panelists suggested that these problems should be addressed concurrently, but they emphasized that these issues involve different solutions and different incentives.
H. Kurt Helwig, executive director of the Electronic Funds Transfer Association, opened the second day of the conference, emphasizing that security can serve as a key business differentiator. He observed that the companies attending the conference are well aware of security’s importance and take the issue very seriously. Nevertheless, they also agree that they must do a better job communicating two things: what customers can do to help in the fight and what companies are doing internally to protect customer data. Communicating this message is critical, he warned, because losing consumer confidence may threaten the underlying payments business itself.
These insights would be echoed throughout the day’s sessions. In particular, Orson Swindle, senior policy advisor and chair of the Center for Information Policy Leadership at Hunton & Williams, a major international law firm, expanded on these themes with a keynote on the second morning of the conference: “The Sky Is Not Falling But It Could.” Swindle emphasized that the payments industry is predicated on the free interchange of information. This openness has brought about great innovation, but it increasingly presents unique risks. He called on conference participants to apply sound principles and solutions, many of which already exist, to ensure that customers’ data are protected. Doing so, he argued, can offer a competitive advantage. Swindle’s address was followed by a panel, “Ensuring Data Security,” which delved into concrete technologies, solutions, and best practices that can help to address the problem. The panelists noted the increased sophistication of fraudsters who continue to challenge increasingly rigorous security standards. The industry finds itself playing a game of cat and mouse, but at the same time, the panelists argued there are viable practices and procedures that can provide a defensible strategy for protecting data.
Two afternoon panels concluded the conference. The first, “After a Breach: Protecting Customers and Consumers,” focused on what to do when a breach occurs. Panelists emphasized that planning is critical; the most robust data security program must be accompanied by a well-defined action plan in the event the unthinkable occurs. Among the issues discussed were the role and shape of notifications, consumer sentiment and understanding, and the implications for payment providers.
The second panel, “Legal and Regulatory Perspectives,” attempted to place the issues raised throughout the conference into the emerging legal and regulatory framework. The panelists contrasted state and federal initiatives, discussed trends in regulation and enforcement, and addressed the degree to which the regulatory environment has been a constructive partner in designing solutions.
To close, Peter Burns, director of the Payment Cards Center, summarized several of the conference’s key themes. He noted that effective, industrywide solutions are imperative. These must be built around the correct incentives, should include the full range of stakeholders, and should encourage collaboration. A compelling business case exists for effective security; the challenge will be to develop and explain it. Burns noted that the Federal Reserve can contribute to this effort by convening the right people and encouraging a frank and open debate, as was evident during the discussions that took place over the course of the conference.