In 2007, the TJX Corp. suffered a computer hack that eventually ended up affecting the accounts of 45.7 million customers. One would think that over the course of seven years, major retailers would have had plenty of time to develop and deploy a system to protect the sensitive personal data of their customers and the financial institutions that issue the cards which allow their businesses to operate.

Unfortunately, that is simply not the case. Since 2007, we have seen the scenario repeated over and over again. In fact, in 2012 alone there were 156 confirmed breaches. Recently, the Home Depot breach has topped them all. The company announced in September that 56 million cards have been compromised in the most recent data breach.

The payment system is a three-way partnership between the consumer, the financial industry and merchants. The integrity of the system is dependent on each of those groups holding up their end. Right now the consumer and the card issuers are doing their part, but the retailers have simply not stepped up – and they have had plenty of time.

Home Depot’s CEO was quick to let consumers know that they will not be liable for any fraudulent charges. He failed to note that credit unions and other card issuers will be on the hook for a good deal of the cost, just as they have been when other breaches have occurred in the past. Sadly, we know the drill all too well at this point. We collect the data, analyze the impact on our members and then notify them, determine whether or not cards need to be reissued, staff up our call centers and monitor accounts.

What is preventing the retail industry from making any significant progress on this important problem? The reason that the retail industry has failed to make any significant progress on this problem is that the data security standards are inconsistent across the board, and they most certainly should not be. Credit unions and other financial institutions are subject to high data protection standards under the Gramm-Leach-Bliley Act, but merchants are not subject to federal data protection standards.

Holding Merchants Accountable

Under today’s federal law, there is no merchant accountability. That has to change. This lack of accountability on the part of the merchants is directly reflected in the small investment that they make in cybersecurity. While the finance industry spends as much as $2,500 per employee on cybersecurity, retail and consumer products companies dedicate about $400 per employee.

Merchants have to be held accountable for the damages that breaches to their systems cause financial institutions and consumers. It is clear that the threat of monetary penalties is the only thing that motivates the retailers to properly secure their systems. EMV, tokenization and other technologies are critical to the innovation of the payments system; however, before those investments are made, Congress has a role to play in addressing the issue of merchant data breaches by making sure all of the participants are playing by the same set of data security rules, and that merchants who hold consumer data and allow that data to be breached are responsible for the costs incurred by others.

All participants in the payment process have a shared responsibility to protect consumer data, but the law and the incentive structure today allows merchants to abdicate that responsibility, making consumers vulnerable.

Congress must act to protect consumers by taking steps to enhance data security standards for merchants.

Paul Gentile is president of the Massachusetts Credit Union League.