A study released Monday finds that most banks are expecting healthy growth over the next few years on the strength of their retail banking operations. But are banks focusing enough on the issue of data security?
Nearly 80% of the more than 100 retail bank executives in the United States, Europe, and Asia Pacific surveyed by Accenture between April and July 2005 said they believe strengthening their cross-selling capabilities is a key element to support growth in their retail banking businesses. In their efforts to improve cross-selling efforts, surveyed banks say they want to focus internally on improvements to advisory and selling capabilities, as well as data mining, workflow, and central marketing capabilities.
But nowhere does the survey mention efforts by the banks to better secure the information they collect from new clients they hope to attract. The study was fielded prior to a major security breach last month that has banks worldwide scrambling to protect their retail customers by blocking PIN-based debit transactions and reissuing debit cards. Banks and law enforcement, which have offered little information about the cause or extent of the breach, say they're still attempting to determine the scope of the problem.
Forty-two percent of those Accenture surveyed expect their retail banking business to grow annually by more than 10% over the next three-to-five years, and another 42% say they expect annual revenues to increase 5% to 10%. The recent data breach and subsequent expense incurred to reissue cards could have a negative impact on profits, to say nothing of each bank's reputation.
Visa in February issued a statement acknowledging that a U.S.-based merchant that accepts Visa payments "may have experienced a data security breach resulting in the compromise of Visa card account information." Visa then alerted banks whose customers might be affected by this data breach so that the banks could monitor transactions for fraud and, if necessary, reissue cards.
Moves by several banks, including Bank of America, Citibank, Washington Mutual, and Wells Fargo, to block some PIN-based debit transactions are related to the data breach at the same merchant, a Visa company spokesman acknowledged, but he wouldn't reveal who that merchant is, what data was stolen, nor how the data was stolen. In the meantime, Visa has been recommending that cardholders regularly monitor their account statements and alert their issuing bank of any unusual activity.
Wells Fargo last week confirmed that since mid-February it has had to reissue debit cards for some of its customers internationally, although a company spokeswoman wouldn't say how many cards were reissued. Wells Fargo began examining its customers' debit card transactions more carefully following Visa's February warning.
The lack of information available to the public from Visa, the affected banks, and law enforcement is "fanning the flames" of consumers' lack of confidence in cashless transactions, says Beth Givens, director of the Privacy Rights Clearinghouse, a consumer advocacy group. "We do not recommend that consumers use debit cards," she adds. "They have more protection by law when they use credit cards. The problem with debit cards is that your own funds can be compromised," whereas credit card purchases can be appealed without directly impacting the card user's personal bank account.
As concerns over the exposure of sensitive customer data grows, laws are being put in place to force banks and other businesses to more promptly report data breaches. More than 20 states have adopted data breach notification legislation in order to protect consumers from companies reluctant to reveal their inability to protect sensitive information. "The most important aspect of writing the law was changing the corporate culture regarding how they viewed breaches and fraud loss," says Dana Mitchell, legislative director for California Assemblywoman Cindy Montanez. Mitchell, who in 2003 helped draft the groundbreaking California Security Breach Notification Act, adds, "Companies viewed fraud loss as a customer service in absorbing the loss without notifying the customers." California's law was prompted by the breach of computers at a state data center containing information on as many as 265,000 state workers. The breach was discovered on May 7th, 2002, but employees weren't notified until May 21st.
Visa advises all companies that handle payment card information to adhere to the Payment Card Industry, or PCI, data security standard, which defines how card and cardholder data should be managed and processed to keep it secure, as well as forbids retailers from storing PINs online. PCI standards also require access control measures, regular network monitoring and testing, and an information security policy, as well as annual security audits and quarterly network scans.
California's law requires any company that conducts business in the state to disclose any breach in the security of the data of any resident of California whose unencrypted personal information has been compromised and acquired. While the data stolen from Visa's merchant was encrypted, thieves reportedly also made off with the master encryption key, which means those banks are still subject to the breach notification guidelines. "According to the California law, if you lost the key with the encrypted data, the law still takes effect," Mitchell says.
Visa archrival MasterCard has also been torched by data security woes. Last June MasterCard notified banks of a breach of payment card data, which may have exposed more than 40 million cards of various brands to fraud. The breach occurred at CardSystems Solutions Inc., a third-party processor of payment card data, and affected about 13.9 million cards carrying the MasterCard brand.