The ongoing battle between card issuers and retailers grew a bit more fervent last week after Verizon Enterprise Solutions released its most recent report on cybersecurity compliance among large retail firms.

The report found, among other things, that most firms fall out of compliance with the Payment Card Industry Data Security Standard within a year after having been verified as compliant. The report also found nearly half of all American consumers have had household payment information compromised in a data security breach.

“We're 15 months from the Target breach, yet credit unions have received nothing in terms of reimbursement,” said CUNA President/CEO Jim Nussle on March 11, attacking the retailers on data breaches.

“The same goes for the Home Depot breach. The merchants responsible for the largest breaches over the last two years have paid absolutely nothing while credit unions have had to pony up at least $90 million to cover the costs for merchant data breaches. Consumers will benefit if the retailers would start following the industry security standards and support a strong federal data protection law that codifies a requirement that those who accept cards for payment follow the same standard as those who issue cards for payment,” Nussle added.

The Retail Industry Leaders Association, the trade association representing leading brick-and-mortar retailers fired back, noting that some financial institutions had been among the corporations Verizon found not to have been PCI DSS compliant.

They also noted the Verizon report itself makes clear that any firm which takes payment cards needs to become compliant to the data security rules. Retailers blamed the overall weakness in the payment system on the financial institution industry's unwillingness to adopt EMV compliant cards.

“Because their refusal to invest in chip and PIN technology in the United States has made all industries in the card payment ecosystem a tempting target for cyberattacks,” RILA said in a March 12 statement. “Despite a willingness to protect cardholders in Europe and Canada with this technology, financial institutions have thus far refused to implement the same security measures in the United States that we all know would reduce fraud dramatically.”

Financial institutions declined to adopt EMV with chips due to the cost, RILA charged, even as retailers are spending billions of dollars to modify their point of sale terminal to accept payment cards with embedded EMV computer chips.