Target Breach: MasterCard Weighs New SettlementNew Reimbursement Plan on the Table After Visa's Settlement
Target's Aug. 17 settlement with Visa to reimburse card issuers up to a reported $67 million for expenses related to the retailer's 2013 data breach may pave the way for a similar revised settlement with MasterCard. And it could eventually derail banks' pending lawsuit against retail giant.
In May, banks and credit unions rejected MasterCard's proposed $19 million settlement with Target on the grounds that the compensation for breach-related expenses, including card reissuance, was inadequate. The card issuers chose, instead, to continue to push for more money through their class action lawsuit.
But now that Visa's leading issuers impacted by Target's breach have accepted Visa's settlement deal, MasterCard says it, too, is wrapping up negotiations with the retailer for a revised settlement to present to its issuers.
In an Aug. 19 statement provided to ISMG, MasterCard says it plans to submit a new settlement plan to Target that resembles Visa's deal.
"MasterCard is pleased that Target announced its settlement agreement yesterday," the statement says. "We have been working closely with Target on this from the start, and they have indicated to us that the same approach and comparable terms are being made available to MasterCard issuers. This reflects our ongoing collaborative efforts over the past few months to resolve the matter. We will now place the revised Target settlement offer in front of our customers for their consideration."
And if that revised settlement gets the approval of MasterCard's major issuers, some observers predict the banks' lawsuit against Target eventually could be dropped.
Motivation to Settle
"If the banks can just get a couple of dollars per card they had to reissue because of a breach, they will settle," says one attorney who specializes in cybersecurity and breach litigation, who asked not to be identified. "Banks are conservative. They're litigation and risk averse," and that could work in Target's favor.
Banks and credit unions will likely accept any settlement that offers a reasonable payout, says Jeff Man, a strategist and security evangelist for continuous network monitoring firm Tenable Network Security. That's because they want the media attention surrounding the Target breach and questions about payments security to go away, says Man, a former qualified security assessor for PCI compliance.
"You have to remember that all of the players have a vested interest in Target succeeding as a company, which translates into more credit and debit sales," Man says. "Conflicts of interest aside, it would behoove all of the banks, processors and card brands to quickly move to settlement. The more common breach settlements become, the more normalized the breach recovery costs will become, which will make negotiating these settlements easier in the long run."
While the The Wall Street Journal, quoting people familiar with the deal, places the value of the agreement with Visa at up to $67 million, Visa and Target, in acknowledging an agreement has been reached, have yet to confirm that figure.
If the settlement amount offered by Target to Visa is, indeed, $67 million, Man offers this calculation to determine the amount per card that should be paid to issuers:
"Visa controls roughly 60 percent of the payment-card market, followed by MasterCard at about 25 percent, American Express at 10 percent, and Discover at 5 percent," he says. So if 40 million cards were compromised in the Target breach, that would average out to 24 million Visa cards, 10 million MasterCard cards, 4 million American Express cards and 2 million Discover cards, he says.
"If Visa is settling for $67 million and lost 24 million cards, that works out to about $2.80 per card," Man explains. "The rejected MasterCard deal, which stood at $19 million for 10 million compromised cards, works out to $1.90 per card."
If MasterCard ups its amount just enough to get card issuers a reimbursement that's closer to $2.80, then it's likely card issuers will accept the deal and forget the lawsuit, he contends
Could Lawsuit Be Dropped?
Legal experts say it's common for settlements to include contingencies that prevent parties from suing once they accept the deal.
Assuming that all of Visa's leading card issuers, which are commonly known to be Chase, Bank of America, Capital One, U.S. Bank and Citibank, accepted the deal, they're all likely to drop out of the class action lawsuit , the unidentified attorney says.
"The big five banks are in the class, and it looks like, with this settlement, Target is picking them off," the attorney notes. "Without those five banks, the class will be substantially smaller."
But having fewer institutions involved in the suit, on its own, won't adversely affect the pending litigation, the attorney says. "These lawyers will continue to soldier on," he says. "I suspect that some of the financial institutions that aren't the big five are going to take the settlement, but not all of them."
Things could change dramatically, however, if MasterCard comes back to the table with a better deal.
What Should Retailers Pay?
Avivah Litan, a financial fraud expert and analyst at the consultancy Gartner, says she's not convinced that breached retailers should pay more to cover losses and expenses associated with breaches - which makes assessing the adequacy of settlements such as Visa's impossible.
"This process is totally opaque, and there is no hard information available for market observers to analyze," Litan says. p>
To assess what Target should pay requires knowing what the retailer already paid in interchange and merchant fees, she contends. "Those fees are intended to be 'fair market' and competitive mechanisms to ensure there is a balance across benefits and costs incurred by both retailers and issuing banks," Litan says. "And the setting of those fees is anything but transparent."