Bloomberg reports that Federal Reserve Chairman Ben Bernanke told lawmakers that there was “reason to be concerned” that the debit interchange exemption for smaller financial instructions wouldn’t be effective and may even result in bank failures.

“I can’t say with certainty, but I think there is good reason to be concerned about it,” responded Bernanke at a Senate Banking Committee hearing.

The Fed’s proposed debit interchange regulation caps swipe fees at 12 cents for transaction except for issuers with assets under $10 billion. If the exemption doesn’t produce the intended results, Bernanke warned, “it’s going to affect the revenues of the small issuers, and it could result in some smaller banks being less profitable or even failing,” he said.

Federal Deposit Insurance Corporation (FDIC) Chairman Sheila Bair also commented at the hearing that, should the exemption be ineffective, it will “stress” smaller financial institutions and result in more fees for customers, American Bankers Association CEO and President Frank Keating wrote in a press release.

“We had suggested that the Fed perhaps could use authority under Reg. E to require that the networks accept two-tier pricing, and our lawyers probably have a different perspective on that, and obviously that’s the Fed’s call as it is the Fed’s rule,” ABA reports that Blair responded. “So, if their view is that there is no reasonable authority to require that, I think it does become even more problematic. I do think that this is going to reduce revenues at a number of smaller banks and they will have to pass that on to customers in terms of higher fees, primarily for transaction accounts. That’s going to happen and again, is that the right result, is that the result Congress wanted? You need to determine that but I think that’s going to happen.”

Smaller financial institutions, including community banks and credit unions, have expressed concern they would be forced to accept the same debit swipe fees caps in order to stay competitive.

“The ABA has long held the view that the small-bank exemption will not work and cannot be made to work because having two prices for the exact same product is simply not sustainable in a free market.  As much as some in Congress might like to, they cannot overturn this basic law of economics,” wrote Keating following the hearing. “The potential harm to community banks and the consumers they serve resulting from the Fed’s debit interchange rule were not fully explored by Congress before it passed the Durbin amendment, which was never the subject of any hearings or studies. If the rule is allowed to go forward, the consequences for everyday Americans – especially lower-income consumers – will be detrimental to their financial bottom-line.” (Click here to read the full press release.)

The Electronic Payments Coalition commented that both Chairmen Bernanke’s and Bair’s testimony reinforces statements made in previous hearings this year expressing concern about possible consequences for community banks and credit unions.

“The nation’s senior economic policymakers continue to express concerns that small financial institutions and their customers will be harmed by the Durbin amendment, on the eve of intended implementation,” said Trish Wexler, spokeswoman for the Electronic Payments Coalition. “Why the rush? Slow this down and get it right before it’s too late.”

Also opposed to the Fed’s debit proposal are some of the country’s biggest banks and lenders, such as Bank of America Corp. and JPMorgan Chase & Co., which Bloomberg reports could lose more than $12 billion in annual revenue if the limit is enacted.

The Fed pushed back the initial April 21 deadline for completing its debit interchange proposal in order to fully review the deluge of public comments on the regulation that were submitted. A bipartisan group, led by Sen. Jon Tester (D-MT) have submitted a bill that would delay implementation of debit interchange caps in order to allow the impact of any potential changes to be further examined.

When asked about the issue of further study, the National Retail Federation reports Bernanke stated, “We have plenty of information. That is not a problem.”

“Chairman Bernanke has made it clear not once but twice now that there is no need to delay swipe fee reform and the savings it will bring to American consumers this summer,” NRF Senior Vice President and General Counsel Mallory Duncan said. “The big banks claim they want a study, but the truth is that they want to kill reform. The Federal Reserve and the merchant community are committed to carrying out Congress’ intent to bring these fees under control. Big banks should not be allowed to take these savings away from retailers and their customers.” (Read full statement)

It’s clear to anyone who has read the many questions that the Fed put out for comment in late December or listened to the Board hearing that—not surprisingly—regulating the highly complex, multi-trillion debit card market isn’t something mortals could do responsibly in nine months from an almost standing start. The additional time will hopefully enable the Fed to sort out how to compensate debit card issuers for fraud prevention before imposing any possible rate caps.

Chairman Bernanke has assured Congress that the Fed will meet the July 21st deadline for imposing the rules. Perhaps before then, Senator Durbin will agree that enough questions have been raised—even if they haven’t all been answered—over whether his bill is really in the public interest that he will do the right thing and take the time out, mandated by the Tester Debit Card Study Act, to make sure that consumers, especially lower income ones, don’t get the short end of the stick.

(From MasterCard’s “The Heart of Commerce” Blog)

You heard it here first, folks.

The New York Times reported March 2 that “American shoppers did not shed their reliance on credit cards over the year-end holidays.”

As to why they used credit cards, The Times notes that “retailers tend to benefit from credit card spending, as it often means people are spending beyond their budgets.”

Let’s park the question as to whether retailers “tend to benefit” from selling goods their customers may have trouble paying for.

The reality is, U.S. consumers used credit cards last Christmas to manage their money. Every piece of market research that comes into MasterCard indicates that U.S. consumers-all of them-had the living daylights scared out of them over the past two and half years. They understand that credit cards give them the flexibility and convenience of extra time to pay their bills, for a price. That consumers are willing to use credit cards to pay for Christmas gifts doesn’t mean they’re “spending beyond their budgets.” In most cases, it means they are trying to manage their money better.

The Times’s point that, yes, consumers still do use credit cards, echoes my earlier post which took issue with press reports back in December indicating that consumers were going to use cash-legal tender, greenbacks-to pay for Christmas gifts.

Consumers, though they used the word “cash” when talking to reporters, weren’t talking about tender; they were talking about their commitment to financial responsibility. In other words, their intention was to pay in full, or in installments, rather than revolve into the ozone. They were always planning to pay with plastic. And they paid not just with any plastic, but with credit cards. At least that’s what the data say.

It could hardly have been otherwise for holiday spending to be as robust as it was. MasterCard SpendingPulse reported holiday spending rose 5.5% last year over the 2009 season. So the notion of people counting out twenties at checkout for holiday gifts does not bear scrutiny. The degree to which e-commerce performed last Christmas belies the notion altogether.

At point of sale, or online, U.S. consumers as a group are trying to manage expenses versus income. And credit cards help them perform that task.

What a day at the ole’ payments corral in the “square off” initiated by VeriFone’s CEO, Mr. Doug Bergeron.

While people in our industry can be and should be very passionate about payments and security, there is a line where the message gets lost and all that’s seen is something other than reason. I must admit that I was waiting to see an effigy of Mr. Dorsey being burnt at the conclusion of the now-infamous video or the camera being toppled by a flying drop kick.

Emotions aside, let’s get to the real issues. The claim levied against Square is that it is not secure and a skimming device which needs to be immediately recalled. Can Square do things in a more secure, PCI Compliant manner? I do believe so. Does VeriFone live up to the standard of clean hands when it comes to security and do they see Square as a threat to their business model? I believe the answer is “yes”.

The root of the security problems that both organizations are either contending with or claim to have solved really revolve around the antiquated magnetic stripe credit card itself. Let’s face it , this form factor has changed little in the past thirty or so years and we probably won’t see any changes to this form factor because of the millions of magnetic stripe point of sale systems which are in market and will be for some time to come. There is a lot of talk about payments moving to the phone tomorrow using the NFC protocol. There are a few large problems with this thinking – there are not the 13 million+ NFC equipped terminals in the marketplace to take these transactions and security should be a major concern.  There is no incentive for the consumer to to “tap” versus “swipe”. There is little incentive for merchants to pay to upgrade to NFC equipped terminals in order to take “card not present” payments via the phone which will end up costing merchants a higher transaction fee. This may happen, with many of the hurdles overcome, in the years ahead but that time vacuum also allows for yet-to-be-released technologies to challenge or surpass NFC.

What really needs to occur is to make the magnetic stripe card itself more secure. Anyone can freely buy a magnetic stripe reader online for $99, plug it in to a usb port and use TextEdit or Word to read the track data on a magnetic stripe. The introduction of Square into the market has not caused this; it’s been there for years.

True security means tying the individual to the payment method (card) itself. In an unabashed plug, I invite readers to look at the iCache solution (www.icache.com). Our digital wallet, built to exceed CAST and PCI standards generates a card that is tied to the user, thereby assuring that the card that is presented for use (online and offline) is owned by that individual and that individual only. This occurs for brick and mortar and online transactions. The iCache solution also incorporates many other value added features to include issuance of dynamic CVV numbers. The iCache solution can be used anywhere in the world, without POS modification, delivering value to issuers, merchants and consumers – today.

Now that we are back from the iCache commercial, let’s analyze the real issues with Square and VeriFone.

To understand Square is to realize that Square is more about the easy on-boarding of merchants and the processing of transactions than it is about the card reader itself. The Square “dongle” is a conduit to something much bigger which is the empowerment of every consumer to become a merchant without laying out a lot of money for expensive hardware, excessive processing fees and being locked into multi year contracts with hefty termination costs. Innovation and empowerment is a wonderful thing yet it does challenge established players. With every evolution there is the possibility of a counter-revolution when another’s bottom line is threatened.

In all fairness, I do believe that Square can do more in the area of security and PCI compliance and I am hopefully sure that they will. There was not a great deal of information that I could find on the Square website which gave me complete confidence that  all of the components of the PCI DSS standards were being followed. This could be intentional as the average consumer does not probably care to read all of the technical nuances of these standards.  If the true debate is about security, it might be fair for each organization to release a table of all of the payment standards for all of their products and state their compliance for each. I do believe that today’s event is not so much about security as it is about revenue lines and the simple fact that a less expensive, easier to implement solution is gaining a foothold in the payment acceptance space and payment acceptance hardware market.

If we look at some of the VeriFone devices, as advertised on the Company’s website, the Side Swipe product line (which connects to a mobile phone for payment processing) does not appear to fully conform to PCI DSS standards for the same or similar reasons Mr. Bergeron calls for the removal of Square from the marketplace. The VeriFone Side Swipe works  “with the simple swipe of a card, data is stored directly on application software resident in the smartphone”. I am further confused by Mr. Bergeron’s statement about Square that “the issue is not whether Square’s application security is sound”, yet a case was vehemently made that Square be emasculated for security reasons.

I do believe that more truth was revealed in the comments that “….what matters is they [Square] are freely distributing….” and that the “problem is growing hourly”. What could the true problem be?

The Square hardware costs $0 while, from my research, VeriFone’s PAYware Mobile hardware sells for roughly $139+. The issue appears to further extend into the area of other fees (source: www.vantagecard.com/solutions/wireless.html). Square’s “card present” processing fee is 2.75%. Square’s termination fee is $0. To sign up for a PAYware mobile for 24 months, there is a “Boarding Fee” of $49, a “Monthly Service Fee” of $11, a “Per Transaction Fee” of $0.11 and an “Early Termination Fee” of $199. This fee structure is highly reminiscent of my landline phone bill from 10 years ago!

It is also a bit concerning that at the conclusion of the educational website established by VeriFone to inform us about Square and educate consumers about payment security that in the bottom right is a nice big button where one can sign up for PAYware – not to mention the irony of a Twitter button in the upper left!

At the end of the day, evolution is healthy, innovation has brought us out of the dark ages and competition forces us all to do things better. In competing, let’s compete hard while remembering the high road. In our industry, let’s do our best to make sure that the payment system is secure and available for all who desire to transact. The movement of value across all modes of secure rails is of paramount importance to our free market system, our economy and all those in it.

There is movement afoot to address the issue of debit card interchange.  Unless you’ve been on safari for the last three months, you are very much aware of the loud industry protestations resulting from the Federal Reserve’s Reg II, which was issued in December.  These preliminary rules would cap debit card interchange fees at $0.12 per transaction and would force financial institutions to offer a minimum of two competing networks through which merchants could process transactions.  Further, merchants would be able to direct transactions to whichever network best suited them (that is, cost them least). However, as a concession to small institutions, a carve-out was created for those with assets under $10 billion.  They would not be subject to the $0.12 cap on interchange fees, although they would be subject to the other provisions of Reg II.

A 10 to 20 basis point hit to earnings is not easy to stomach

As has been widely noted, these preliminary levels would have a significant impact on the industry.  Given the Fed’s study that found the current interchange fee averages around $0.44 ($0.56 for signature and $0.23 for PIN transactions), a cap of $0.12 results in a 73 percent reduction in debit card interchange income.  This is no minor result – the ROA impact is likely to range from a low of 11 basis points for institutions with a relatively weak retail franchise to more than 20 basis points for those institutions with a strong retail franchise.  In the midst of a very subpar economic recovery, low loan demand, high and persistent assessments, and high loan chargeoffs, a 10 to 20 basis point hit to earnings is not easy to stomach, especially when it will result in no real benefit to consumers.  This 10 to 20 basis point impact will be a direct transference into the pockets of merchants, especially the largest merchants, with some, of course, expected to find its way into political campaign coffers.

Is the under $10 billion carve-out concept workable?

It was believed that the carve-out for institutions under $10 billion would eliminate much of the opposition to this amendment.  The inclusion of the carve-out was a political consideration more than a concession to community-based financial institutions.  After all, if this could be positioned as impacting only the “Wall Street banks,” who was going to object, other than the Wall Street banks?  However, there has been a dawning realization that the carve-out concept probably is not workable; this has brought community-based financial institutions back into the discussion and thereby brought this issue back into the congressional spotlight.  It led to a curious moment during House hearings on this issue, when the vice president and treasurer of 7-Eleven, representing merchants, was asked how he would react if the government told him he could only price his Slurpees at the cost of the ice and syrup.  A fairly poignant moment.

So what are the possible actions that Congress or the Fed could take?

• Outright repeal of the Durbin Amendment by Congress.  This is what many in the industry are asking for.  The likelihood of this is not, at the present, all that high.  In listening to Congress on this matter, they don’t seem to object to the concept of limiting debit card interchange income for Wall Street banks.  They object to the fact it is not likely community-based financial institutions can be effectively protected.
• Put teeth behind the under $10 billion carve-out. The mood of many in Congress suggests they are looking for a way to ensure community-based financial institutions are not impacted by the Durbin Amendment.  There is a growing concern that a two-tier system is not workable — Chairman Bernanke even testified to this effect.  But any steps Congress can take to ensure the carve-out has teeth are uncertain.  They could require debit card processors to implement a two-tiered pricing structure (fits right within our free enterprise system!), or they could exempt small institutions from the requirement of offering two competing networks.  In either case, it seems apparent that Congress will have to act in this regard because the Fed is not likely to change their stance on minimum required networks without being forced to do so.
• Delay implementation of the Durbin Amendment.  The July 22 date for implementation is hard-wired into the legislation, so a delay would require an act of Congress.  But Congress could do so and ask the Federal Reserve to conduct more analysis and ensure smaller financial institutions are protected.
• Put pressure on the Federal Reserve to more fully address the “reasonable and proportional” requirements of the Durbin Amendment.  The Federal Reserve did not incorporate fraud and security costs into its estimates when calculating the proposed $0.12 cap on debit card transaction fees.  Pressure by the industry and Congress between now and April 22 could result in the Fed revising upward its $0.12 cap to a level that would be deemed more “reasonable and proportional.”  At what levels could the Fed settle?

The current average transaction fee from a signature debit card transaction was calculated to be $0.56 and the current fee of a PIN debit card transaction was calculated at $0.23.  In a compromise worthy of Solomon, the Fed could set the cap at $0.24, which is double the current proposed cap and more than the fee currently earned on PIN transactions.  The impact of this would be the demise of the signature transaction advantage for financial institutions, and an aggressive shift towards the PIN.  While this might make FI’s feel somewhat better, it still is going to take a considerable bite out of earnings.  For example, if the Fed doubled the cap to $0.24 per transaction, a 21 basis point negative impact on ROA is reduced to a negative 13 basis point impact on ROA.

However, the Fed could also decide to do nothing with the cap, leaving it at $0.12 and putting the onus back on Congress.  In effect, the Fed would be saying to Congress, “You enacted this legislation and we fulfilled our mandate.  We’re not going to clean up your mess.”

So how should a financial institution respond?

First, make the impact of this legislation tangible and meaningful.  Illustrate the cost of this regulation in real terms.  For example, to cover the losses generated by the Fed’s proposal, an average $750 million financial institution would have to:

• Reduce its full-time employee count by 18 people, an effective reduction of 11 percent.  This assumes $4.5 million assets per employee and $65,000 in salary and benefit costs per employee.  Or …
• Lower its rate on deposit accounts by 16 basis points, or …
• Impose a $6.08 per month fee on checking accounts with balances below $1,000.  This assumes that 60 percent of checking accounts have balances of less than $1,000. Or …
• Impose a monthly fee of $3.65 per debit card.

Second, once the true impact has been quantified in ways that will be meaningful for Congress, communicate this impact to Congress.

Which is the optimal outcome?

Obviously, the objective of any institution with assets above $10 billion is complete repeal of the Durbin Amendment.  Short of this, if an institution has assets under $10 billion, should they be satisfied with a stronger carve-out provision?

Not necessarily.

If Reg II is implemented, even with a better designed carve-out, we have entered the slippery slope of price-setting by the federal government, and this is dangerous territory.

• How long do you think it will be before the merchants go after credit card interchange?
• If the government can set price on debit card interchange, why can’t the government be able to set interest rates on deposit accounts or loans?  Or establish how much an institution can charge on checking accounts?
• Also, don’t forget the lesson of the Alternative Minimum Tax.  First implemented in 1969 to make sure that millionaires weren’t able to use tax loopholes to avoid paying any income tax, it now impacts a vast swath of the middle class as incomes have risen over the years.  The same could easily be true of the debit card interchange carve-out.  What seems like a very large threshold will be crossed by many institutions eventually.  Right now, 59 banks will be subject to the Reg II interchange cap if the carve-out is successful.  Assuming industry assets grow at an average 7 percent annual rate, by 2020 there will be more than 140 banks subject to the interchange cap.  For credit unions, three would now be subject to the cap but, by 2020, at least 10 are likely to be subject to the cap.

There now appears to be serious dialogue on the Durbin Amendment taking place.  Smaller financial institutions may decide they would be satisfied with a more enforceable carve-out.  However, the long-term health of the entire financial services industry would be better achieved by the complete repeal of this provision.

With Vision Payment Solutions, ROAMpay delivers the highest security possible and the convenience of a mobile phone. Available for use on over 400+ phones, ROAM-pay is the definitive application for processing major credit cards like Visa® and MasterCard® all on your mobile phone. With features such as real-time authorization, emailed receipts, void, and online reporting, you can trust that your business is up and processing anywhere you have cellular service.

• Quick activation
• No additional equipment costs
• DES3 secure, PCI compliant
• Quickly process credit card orders

• Real-time authorization
• Log cash orders for reporting and receipts
• Email receipts to your customers
• Cross channel touch point
• Build up your customer list
• Check transaction history and reports on your phone or online

VPS and ROAMpay also includes a web interface so you can securely enter credit card data from your PC or Mac’s desktop.

Here’s the list of 400+ phones available for processing

Send an email to: sgent@visionpayments.com if you would like agent specific pricing.

ACCEL
• Accel has announced a modification to the PINless Maximum Premium Rate from $1.73 to $1.78.

AFFN
• Retail merchants will be billed at 0.75% + $0.185 per transaction with a maximum transaction fee of $0.835.
• Supermarket merchants will be billed at $0.235 per transaction.
• Major merchants will be billed at 0.60% + $0.135 per transaction with a maximum transaction fee of $0.535.
• A new interchange level for QSR is being implemented at 1.25% + $0.16 per transaction with a maximum transaction fee of $0.485.

NYCE
• Retail merchants will be billed at 0.80% + $0.2275 per transaction.
• Supermarket merchants will be billed at $0.3175 per transaction.
• Retail Premium transactions will be billed at 0.80% + $0.3025 per transaction.
• Medical Retailer Premium transactions will be billed at 1.20% + $0.3175 per transaction.
• Small Ticket Premium transactions will be billed at 1.25% + $0.2675 per transaction.
• Quick Service Restaurant (QSR) Premium transactions will be billed at 1.25% + $0. 2675 per transaction.
• Supermarket Premium transactions will be billed at $0.3925 per transaction.
• Petroleum Premium transactions will be billed at 0.80% + $0.2475 per transaction.
• PINless Premium transactions will be billed at 0.65% + $0.2475 per transaction.
• PINless Maximum Premium transactions will be billed at $2.1175 per transaction.

Updated Interchange Guides will be posted to Aurora once available.

In all, Pleasanton, Calif.-based Javelin predicts that retail electronic-commerce volumes will grow from about $249 billion this year to $443 billion in 2015 for a compounded annual growth rate (CAGR) of 12.2%. With overall retail sales projected to grow at a much slower rate, Javelin forecasts e-commerce’s share of total sales to rise over the next five years from 6.4% to 9.2%. The new report is based on data collected online from a randomly selected panel of 4,998 consumers in September, with other data coming from government agencies, payments companies, and earlier Javelin research.

Major-brand credit cards, once the default currency of e-commerce, have been losing online market share for some time now but still will remain the most-used payment choice in 2015. The Pleasanton, Calif.-based Javelin says that despite recession-induced issuer cutbacks and voluntary reduced usage by consumers, major-brand credit card purchase volumes online will increase at a CAGR of 10.4%. At that rate, credit card volumes will grow from $99.9 billion this year to $163.6 billion in 2015. Still, with a CAGR lower than every payment rival studied except retail credit cards, the major credit cards’ share of online purchases will decline from 44% in 2009 to 40% this year and 37% in 2015, Javelin predicts.

Next in market share after credit cards in 2015 will be debit cards at 28%, little changed from 28% in 2009 and 29% this year. Javelin however, pegs debit’s CAGR at 11.8%, a good step ahead of credit’s. Volume will grow from $71.8 billion this year to $124.4 billion in five years. Younger consumers grew up with computers and prefer debit cards to credit cards in part because the former are more suited to their affinity for real-time account updates and other banking functions they can do online, according to Javelin founder and president James Van Dyke. “Debit is more of a natural payment method [to them] than credit,” he says. Van Dyke says those preferences probably won’t change, though many payment executives he’s talked to hope for a return to more credit card spending. “They think once the economy turns, the tide will come back to credit. For these young adults, credit will never come back,” he says.

The online alternatives, dominated by PayPal Inc. but including a plethora of other upstarts, will see their volumes grow from $42.6 billion to $86.6 billion by 2015 for a CAGR of 15.2%. The alternatives’ market share is set to grow from about 16% today to 20% by 2015.

Javelin says its data show that despite many Internet merchants’ slowness in offering alternative payments, 46% of consumers have used newer options such as PayPal, BillMeLater (an online credit provider owned by PayPal parent company eBay Inc.), Google Inc.’s Google Checkout, and Amazon.com Inc.’s Checkout by Amazon in the past year. From another study, Javelin determined that 91% of consumers who have used an alternative for an online purchase have used PayPal, followed by Checkout by Amazon at 24% and Google Checkout at 9%. Behind the scenes, major credit and debit cards will benefit from the alternatives’ rise because consumers often fund such accounts with a credit or debit card. PayPal and some other companies, however, route considerable volume over the lower-cost automated clearing house network.

Prepaid cards and their gift card cousins have the highest five-year CAGRs of the bunch, 16.7% and 36.3%, respectively, but that’s coming off of a small base. Javelin predicts online prepaid card charges will grow from $17.7 billion this year to $38.9 billion in 2015, while gift cards will increase from $1.7 billion to $8 billion. Collectively they’ll increase their market share from just under 8% currently to about 11% in 2010.

Javelin forecasts that online volume charged to retail credit cards will grow from $14.2 billion this year to $20.3 billion in 2015 for a CAGR of 7.4%. Retail cards’ market share will slip a bit from 6% in 2010 to 5% in 2015.

ITRC, a San Diego-based non-profit, sorts data about compromised payment cards and bank accounts into two of its five major categories: banking/credit/financial and business. In banking/credit/financial, the number of reported breaches slipped slightly to 54 from 57 in 2009, though the number of records exposed rose to 4.85 million from 8,364. In the business category, which includes merchants and processors that suffered payment card data breaches, reported breaches increased 34% to 279 from 208 in 2009 but the number of records exposed fell to 6.63 million from 132.4 million.

IRTC presents its data based on when data breaches are first reported, though the compromises may have occurred one or more years earlier. The 2009 records figure was inflated by the huge data breach reported in January of that year by merchant processor Heartland Payment Systems Inc., a breach that compromised an estimated 130 million debit and credit cards. Heartland accounted for 98% of the records compromised in the business category in 2009.

Some 170 of 2010’s breaches, or 26% of the total, involved credit or debit cards, and those breaches resulted in 29% of the known records compromised. Those figures represent the first time ITRC has broken out card data, according to ITRC founder Linda Foley. Also, 412, or 62%, of breaches involved Social Security numbers representing 76% of known records.

Hacking into computer systems accounted for 17.1% of reported breaches last year. What the IRTC calls “data on the move,” the theft or loss of laptops, flash drives, CDs, and other storage devices containing unencrypted data, accounted for 16.6%. Some other major methods of compromise include insider actions, 15.4%, and accidental exposure, 10.7%.

All the data come with a big asterisk, however. Many breaches come to light only because of media reporting or through mandates from the 46 states that have some form of data-breach reporting law, according to Foley, who estimates only 10% to 15% of breaches are actually reported. Plus, state laws vary in their requirements, as does the public’s access to the information states collect. Only five states, Maryland, New Hampshire, Vermont, Maine, and Wisconsin, make the data they collect “public in a meaningful way,” Foley tells Digital Transactions News. She does say that the state laws probably have shed more light on small breaches that previously went unreported.

Just 51% of publicly reported breaches indicated the number of records exposed and 38.5% did not state the manner of compromise, according to the ITRC. Foley’s solution: a strong federal data-breach reporting law.

Foley predicts cybercrime will increase in coming years, as will insider data thefts. “It’s the path of least resistance,” she says.

Asked if she thinks better technology and tighter data-protection practices spurred by the Payment Card Industry data-security standard (PCI) have had an effect, Foley says, “I hope so. The problem is that the IT person does understand. Then they have to convince the money people, the bean counters, that the investment [in security] is worthwhile. That’s where they get tripped up.”

ITRC also tracks data breaches at educational institutions, governmental bodies, and medical providers.