Who should pay the costs of helping consumers recover when bad guys break into a corporate computer system and steal their personal financial information?
The question has attracted new scrutiny in the aftermath of data breaches at major retailers during last year's holiday season.
Traditionally, banks have paid for fraud detection, customer service and card cancellation and reissuance. But now, some banks are saying merchants should be financially responsible.
The Independent Community Bankers of America, or ICBA, a trade group in Washington, D.C., recently told a congressional subcommittee that such costs can be significant and should be paid by whoever is at fault.
"We strongly believe that these costs should ultimately be borne by the party that experiences the breach. This is critical to aligning incentives to maximize data security by all parties that store consumer data," the group said in its statement.
Banks are already subject to data-protection standards mandated by the federal Gramm-Leach-Bliley Act, or GLBA. Now they want merchants and payment-processing companies to be subject to similar standards.
"To adequately protect consumers and the payments system, all participants in the payments system -- including merchants -- should be subject to GLBA-like standards," the association said.
Separately, the National Retail Federation, or NRF, said it wants banks to issue more secure credit cards and debit cards with newer technology.
The group sent a letter to Senate Majority Leader Harry Reid, D-Nev., and House Speaker John Boehner, R-Ohio, saying retailers are committed to combating data breaches.
"We strongly recommend the adoption of meaningful steps to fight cybertheft and credit card fraud," NRF President Matthew Shay wrote in the letter.
The NRF said it supports "an immediate transition" to so-called chip-and-PIN cards that store data in a chip and require the use of a personal identification number, or PIN, instead of a signature. These cards are more common in Europe and other parts of the world than they are in the U.S.
"Retailers cannot do this alone," Shay wrote.
Follow me on Twitter: @marciegeff.