Fine Points


Securing Payments

By Camden R. Fine, President and CEO of ICBA

Safeguarding customers’ financial information is central to maintaining essential public trust in the financial and payments systems. Nobody understands this more intrinsically than the nation’s community banks. Security, along with trusted financial products and expertise, is a foundation of every community bank’s franchise value. As dedicated financial guardians, you stand the watch for your customers every single day.

Today, community banks must defend against a staggering barrage of relentless, highly sophisticated cyberthreats. As card issuers and account providers, you know firsthand that the most successful attacks have occurred against the largest retailers. Those data breaches have resulted in record card reissue costs and other losses for community banks. The Target and Home Depot card data breaches alone have cost community banks at least $130 million to reissue customer credit and debit cards, in addition to direct fraud losses.

For years ICBA has been working to put consistently strong security standards, regulations and procedures in place across the entire payments system. In 2014, in response to massive retail breaches, ICBA released a set of core data security principles to help guide policymakers, the payment card networks, the largest banks, merchants and technology service providers through the next steps to modernize and strengthen, as well as equitably sustain, how data is protected throughout the payments system.

Three of those core principles stand out as particularly important in light of today’s cybersecurity risks and challenges.

1. Costs of data breaches should be borne by the breached party. Any breached party should bear responsibility for the fraud and mitigation costs it causes—to itself and to others. Aligning incentives to maximize data security by all parties that process or store consumer data will make the payments system stronger over time. However, payment card network rules governing fraud and card reissuance and the interchange model, designed before today’s wide-scale data breaches, amount to reimbursement of pennies on the dollar and don’t begin to fairly compensate community banks for their expenses. 

2. All payments system participants must uphold similarly strong data security standards. Since 1999, all financial institutions have been subject to rigorous data protection standards under the Gramm-Leach-Bliley Act while merchants and other payments parties have not. Every system is only as strong as its weakest link, and the weakest link must be subject to the same or similar federal data security standards. Sensitive bank data should not become vulnerable to cybercriminals because other entities involved in the payments system don’t maintain the same strong data security standards as banks.

3. Technology will never provide infallible protection. Community banks, other financial institutions and, increasingly, merchants are adopting smart-chip technology, tokenization and end-to-end encryption to construct a layered approach to security. However, because cybercriminals search for the weakest links in every system chain, the payments marketplace must retain the regulatory flexibility to continually innovate to maintain strong security.

Ultimately, data protection is a shared responsibility of all those involved in the payments system. There’s a lot of work to do by everyone. Guided by these principles and others, ICBA will continue to be the voice for the nation’s community banks toward building a flexible but comprehensive payments system that continues to protect Americans today, tomorrow and for years to come.

Reach Camden R. Fine at