Breach Response , Data Breach , Fraud

Target Breach: MasterCard Weighs New Settlement

New Reimbursement Plan on the Table After Visa's Settlement
Target Breach: MasterCard Weighs New Settlement

Target's Aug. 17 settlement with Visa to reimburse card issuers up to a reported $67 million for expenses related to the retailer's 2013 data breach may pave the way for a similar revised settlement with MasterCard. And it could eventually derail banks' pending lawsuit against retail giant.

See Also: Mitigate Risks and Protect Your Users from Cyberattacks, Avoid the Yahoo Data Breach

In May, banks and credit unions rejected MasterCard's proposed $19 million settlement with Target on the grounds that the compensation for breach-related expenses, including card reissuance, was inadequate. The card issuers chose, instead, to continue to push for more money through their class action lawsuit.

But now that Visa's leading issuers impacted by Target's breach have accepted Visa's settlement deal, MasterCard says it, too, is wrapping up negotiations with the retailer for a revised settlement to present to its issuers.

In an Aug. 19 statement provided to ISMG, MasterCard says it plans to submit a new settlement plan to Target that resembles Visa's deal.

"MasterCard is pleased that Target announced its settlement agreement yesterday," the statement says. "We have been working closely with Target on this from the start, and they have indicated to us that the same approach and comparable terms are being made available to MasterCard issuers. This reflects our ongoing collaborative efforts over the past few months to resolve the matter. We will now place the revised Target settlement offer in front of our customers for their consideration."

And if that revised settlement gets the approval of MasterCard's major issuers, some observers predict the banks' lawsuit against Target eventually could be dropped.

Motivation to Settle

"If the banks can just get a couple of dollars per card they had to reissue because of a breach, they will settle," says one attorney who specializes in cybersecurity and breach litigation, who asked not to be identified. "Banks are conservative. They're litigation and risk averse," and that could work in Target's favor.

Banks and credit unions will likely accept any settlement that offers a reasonable payout, says Jeff Man, a strategist and security evangelist for continuous network monitoring firm Tenable Network Security. That's because they want the media attention surrounding the Target breach and questions about payments security to go away, says Man, a former qualified security assessor for PCI compliance.

"You have to remember that all of the players have a vested interest in Target succeeding as a company, which translates into more credit and debit sales," Man says. "Conflicts of interest aside, it would behoove all of the banks, processors and card brands to quickly move to settlement. The more common breach settlements become, the more normalized the breach recovery costs will become, which will make negotiating these settlements easier in the long run."

Visa's Settlement

While the The Wall Street Journal, quoting people familiar with the deal, places the value of the agreement with Visa at up to $67 million, Visa and Target, in acknowledging an agreement has been reached, have yet to confirm that figure.

If the settlement amount offered by Target to Visa is, indeed, $67 million, Man offers this calculation to determine the amount per card that should be paid to issuers:

"Visa controls roughly 60 percent of the payment-card market, followed by MasterCard at about 25 percent, American Express at 10 percent, and Discover at 5 percent," he says. So if 40 million cards were compromised in the Target breach, that would average out to 24 million Visa cards, 10 million MasterCard cards, 4 million American Express cards and 2 million Discover cards, he says.

"If Visa is settling for $67 million and lost 24 million cards, that works out to about $2.80 per card," Man explains. "The rejected MasterCard deal, which stood at $19 million for 10 million compromised cards, works out to $1.90 per card."

If MasterCard ups its amount just enough to get card issuers a reimbursement that's closer to $2.80, then it's likely card issuers will accept the deal and forget the lawsuit, he contends

Could Lawsuit Be Dropped?

Legal experts say it's common for settlements to include contingencies that prevent parties from suing once they accept the deal.

Assuming that all of Visa's leading card issuers, which are commonly known to be Chase, Bank of America, Capital One, U.S. Bank and Citibank, accepted the deal, they're all likely to drop out of the class action lawsuit , the unidentified attorney says.

"The big five banks are in the class, and it looks like, with this settlement, Target is picking them off," the attorney notes. "Without those five banks, the class will be substantially smaller."

But having fewer institutions involved in the suit, on its own, won't adversely affect the pending litigation, the attorney says. "These lawyers will continue to soldier on," he says. "I suspect that some of the financial institutions that aren't the big five are going to take the settlement, but not all of them."

Things could change dramatically, however, if MasterCard comes back to the table with a better deal.

What Should Retailers Pay?

Avivah Litan, a financial fraud expert and analyst at the consultancy Gartner, says she's not convinced that breached retailers should pay more to cover losses and expenses associated with breaches - which makes assessing the adequacy of settlements such as Visa's impossible.

"This process is totally opaque, and there is no hard information available for market observers to analyze," Litan says.

To assess what Target should pay requires knowing what the retailer already paid in interchange and merchant fees, she contends. "Those fees are intended to be 'fair market' and competitive mechanisms to ensure there is a balance across benefits and costs incurred by both retailers and issuing banks," Litan says. "And the setting of those fees is anything but transparent."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network