The Fraud Blog with Tracy Kitten

Why Visa's Paying Banks More after Breaches

New Tiered System Designed to Help Smaller Institutions
Why Visa's Paying Banks More after Breaches

The debate between merchants and banking institutions over accountability for card fraud has been a heated one for the past year and a half (see Retail Breaches: End the Finger Pointing).

See Also: ISO/IEC 27001: The Cybersecurity Swiss Army Knife for Info Guardians

Banks say retailers should be held accountable for more expenses resulting from breaches for which they bear some responsibility.

But retailers argue that the interchange fees they pay to the card brands to route transactions through their networks are designed to cover breach-related expenses. When a retailer is breached, Visa and MasterCard pay issuers from these fees paid by retailers.

So, retailers have said that if the banks have a grievance about how they are reimbursed for card-reissuance, they should direct their concerns to the card brands.

Well, it seems they have.

Last week, Visa agreed to increase pay to banking institutions when they must reissue cards in the wake of a merchant breach.

The American Bankers Association announced on May 14 that Visa had agreed to substantially increased reimbursements to community institutions, which typically have more difficulty than larger banking institutions when it comes to covering all of the costs associated with fraud detection, mitigation and card reissuance. Visa is moving to a tiered system, with higher reimbursements for all banks, based on annual card purchase volume.

The new tiered reimbursement system will pay smaller card issuers, such as community banks, more for the cards they have to reissue, the ABA says.

"As retailer data breaches, including those at Home Depot and Target, have become more frequent and more damaging, banks have responded proactively by reissuing cards - preventing millions of dollars in fraud losses," the ABA says in its statement. "An ABA survey last year that was shared with the card networks found that smaller banks pay significantly more to reissue."

The ABA says it's been lobbying for a year for the card brands to re-assess their reimbursement structure. So this was a big win, from the ABA's point of view. But so far, Visa is the only card brand to make any changes.

Rather than paying $2.50 for each re-issued card - which historically was the rate paid to every institution impacted by a breach, regardless of the institution's asset size or Visa transaction volume - banking institutions with less than $500 million in annual Visa purchase volume will now be paid $6 per for every card they have to reissue in the wake of a breach at a merchant, according to the ABA.

Visa declined to comment about the adjusted system. But Jim Chessen, the ABA's chief economist, says the higher reimbursements are a huge step forward for community banks, which really take a hit when they have to reissue cards. Chessen says smaller institutions' volume of Visa transactions is too low for them to absorb the high expense of reissuing cards.

"I think Visa really took a great step forward and realized that the cost for smaller issuers was too high and very expensive," Chessen says. "The tiered approach recognizes higher expenses for smaller-volume issuers."

Other adjustments now accounted for in Visa's tiered system:

  • Institutions with between $500 million and $10 billion in annual Visa transaction volume will now receive $3.85 for each card reissued;
  • Institutions with more than $10 billion in annual Visa transaction volume will receive $2.65 per card; and
  • In addition to the higher rates tied to a bank's size, all issuers will be reimbursed an additional $1 for every chip card they reissue.

The changes take effect July 1 and will be applied to all card-reissuance expenses associated with breaches that are detected after that date, the ABA says.

MasterCard did not respond to my inquiry about whether it plans to change any of its reimbursement allocations. But ABA's Chessen says he's hopeful it will follow Visa's lead.

While MasterCard already reimburses card issuers based on a tiered system, Chessen says the payout rates should be higher for smaller institutions.

"The ABA has been trying for more than a year to get Visa and MasterCard to reconsider their reimbursement rates," he says.

Chessen says results from a July 2014 survey of 500 ABA member banks, which were asked about the reissuance expenses they incurred after the Target breach, garnered attention from the card brands.

"We had a lot of interest and long conversations with both Visa and MasterCard as a result of that survey," Chessen tells me. "It was clear that smaller issuers bear a bigger burden."

I'm surprised Visa declined to comment about this new reimbursement structure. It's a positive step.

But given that the card brands have remained silent in the midst of all the wrangling that's been going on between bankers and retailers, it's not surprising that Visa wants to stay on the periphery of all the finger-pointing.

Your thoughts on this latest move?

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.