Newsroom

Dear Leader McConnell and Leader Reid:

On behalf of the National Association of Federal Credit Unions (NAFCU), the only trade association exclusively representing our nation's federally chartered credit unions, I write today to bring your attention to the Food Marketing Institute's (FMI) recent letter to the card networks asking them to delay the October 2015 deadline for the EMV liability shift. As you know, at that time the payment networks will shift the responsibility for any fraud resulting from a payment transaction to the party using the least-secure technology.

Credit unions have worked tirelessly to do their part in providing a safe and secure payments system for consumers across the country. As credit unions and their 100 million members continue to suffer as a direct result of recent merchant and retailer data breaches, FMI is more concerned about the cost of complying with the EMV standards and how quickly they can process transactions than it is about consumers and doing everything they can to protect their customers from future breaches. FMI's delay tactic is remarkable given the extraordinary number of merchant and retailer breaches that have occurred in recent months coupled with the intense interest in preventing breaches from lawmakers and the regulatory agencies.

Indeed, this is just the latest effort by FMI and other merchant and retail groups to intentionally detract from substantive issues, including stringent data safekeeping, in favor of sound-bite arguments focusing exclusively on a smoke-and-mirrors campaign on "chip and PIN." Despite the continued "chip and PIN" rhetoric from groups like the National Retail Federation (NRF) and Retail Industry Leaders Association (RILA), their large retailer members are contacting the payment networks and demanding an implementation delay. Congress should not be fooled by these groups' unscrupulous tactics and falsehoods.

In addition, FMI and other merchant and retail groups have continued their claims that credit unions and other financial institutions are somehow compensated for the reissuance of plastic cards that are compromised is unsubstantiated. A February 2015 survey of NAFCU members found that the estimated costs associated with merchant and retail data breaches in 2014 averaged $226,000 per institution. Of their losses, respondents expect to recoup less than 0.5 percent.

While NAFCU has long believed that the conversation about EMV is important and that merchants and retailers should do their part in this regard, Congress must act to ensure technology standards are accompanied by strong data safekeeping standards for merchants and retailers akin to what credit unions comply with under the Gramm-Leach-Bliley Act (GLBA). Merchants, retailers and credit unions are all targets of cyberattacks. The difference is that financial institutions have developed and maintain robust internal protections to combat these attacks; they are required by federal law and regulation to protect this information and notify consumers when a breach occurs that will put them at risk. By contrast, merchants and retailers are not covered by any federal laws or regulations that require them to protect the data and notify consumers when data is breached.

In short, it's time for merchants and retailers to act in good faith and do everything they can to protect consumers, and that includes embracing EMV technology and welcoming a GLBA-like standard that would help prevent breaches from occurring. Thank you for your continued attention to this important matter. If my staff or I can be of assistance to you, or if you have any questions regarding this issue, please feel free to contact me or NAFCU Senior Vice President of Government Affairs and General Counsel Carrie Hunt, at (703) 842-2234.

Sincerely,

B. Dan Berger

cc: Members of the United States Senate

Enclosure:

March 23, 2015, letter from Leslie Sarasin, President & CEO, Food Marketing Institute to the card networks re: delaying EMV liability shift