The Fraud Blog with Tracy Kitten

Paying for Target Breach: The Debate Banks, Retailers Blame Each Other for Lax Card Security

Bankers and retailers are hotly debating who should be liable for losses and expenses associated with the 2013 point-of-sale breach at Target Corp.

See Also: 2016 State of Threat Intelligence Study

More than 40 million U.S. credit and debit cards are believed to have been compromised during the Target attack. It's not the largest card compromise the payments industry has ever faced, but it is shaping up to be one of the most publicized and perhaps the most costly.

It's clear that breach cost issues won't be resolved overnight. But it's good to see a healthy debate on the subject. 

Banking associations in recent weeks have been outspoken why they feel those responsible for a breach should pay banks back for their expenses and losses tied to payment card compromises.

The Consumer Bankers Association says card reissuance and related expenses since the Target attack have so far cost its 58 members $172 million.

David Pommerehn, the CBA's senior counsel and assistant vice president, says in a recent interview that the CBA supports federal legislation that would require parties responsible for breaches, such as the Target incident, to pick up the costs associated with recovery, including the cost banks have to pay to reissue cards and refund customers for losses that result from fraud.

Similarly, Viveca Ware, executive vice present of the Independent Community Bankers of America, says retailers won't take action to enhance their security until they are forced, through legislation or some other enforceable mandate, to pay for the compromises that result from their lax security.

What's more, no one understands the formula the card brands use to determine compensation to card-issuing institutions for losses that result from retail breaches. And it's difficult to gauge how much, if anything, a bank or credit union might receive from the card brands if and when a breach results in compromised cards, Ware says.

Readers React

The interviews with Pommerehn and Ware generated a great deal of response from our readers, illustrating just how heated the debate over who should pay losses linked to retail breaches is becoming.

In response to Ware, one reader writes: "Lifting the interchange cap on plastic transactions would be a start in allowing financial institutions to account for retailers' lack of concern."

Gray Taylor, a security and compliance expert for the National Association of Convenience Stores, writes in another response to Ware: "The simple fact about Target - the inconvenient truth - is that every account that was compromised shared one trait; signature authentication capability. I believe that the real question is how the card brands - those responsible for the structure of their product - should compensate the banks and Target for the breach. This post-breach discussion is a distraction from the core issue - how do we reduce risk? The 1980s mentality of the current system, that assumes dedicated and secure networks, combined with the laughable practice of account 'login' without an account 'password' (try logging into Facebook without your password) makes the card brands complicit with the thieves."

Not All Agree

Readers also offer passionate responses to my interview with CBA's Pommerehn.

Peter Cooper writes: "When more than about 8 issuers provide EMV credit cards to consumers in the U.S., perhaps the CBA can begin discussions about the recovery of costs of breaches. The bottom line is that the mag-stripe cards are fundamentally hard to secure and are extremely vulnerable to cloning and fraud."

Many retailer supporters have urged card issuers to switch from mag stripe cards to more secure chip cards that conform to the Europay, MasterCard, Visa standard, including the National Retail Federation and Target (see Finger-Pointing at Breach Hearing).

Reader William Murray writes: "Let the banks whine all they like. It is nice to know that they are finally feeling the pain of their reluctance to issue EMV cards. I would love to testify for Target if they sued the banks for the costs that they have incurred for the banks' negligence in not issuing EMV cards."

In response to this dialogue spurred by Pommerehn, another reader writes: "Fraud charges to customers' accounts are not reimbursed or charged to the merchant. The banks have to reimburse the customer for the fraudulent charge and write it off as a fraud loss. We replaced just over 400 cards at our little community bank, and the bill from the card replacement/reissue company was over $2,700. That does not count the hours and hours spent fielding phone calls from customers - customers who didn't read their mail when the card was reissued and called because their old card quit working, the tracking down by our operations personnel of each of the fraudulent charges and doing the work to reverse the charge and reimburse the customer. And that breach was not the 'Target' breach, it was a regional breach by a retailer who, like Target, did not take seriously the protection of customer data."

It's clear that breach cost issues won't be resolved overnight. But it's good to see a healthy debate on the subject.

I encourage you to share your opinion in the space below.



About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network