GuestView: Credit Unions Argue That Retailers Are Not Penalized When Breached. May I Ask What Planet You Live On?Written by Steve Sommers
Steve Sommers is the Senior VP for applications development at Shift4 and this is a periodic GuestView on security issues.
A recent story in a popular security newsletter featured a headline that got my blood boiling and when I read the post, things only got worse. The essence of the piece involved the National Association of Federal Credit Unions (NAFCU) asking Congress to create laws to further punish victims of a breach. I assume NAFCU is hoping that whatever fines the government assesses on these merchants will be justly given to the issuers. The upshot is that merchants do not have any skin in the game when they are victims of a data breach. I vehemently beg to differ.
The original storystarted by saying that “banking institutions rarely recover the financial losses they suffer after cards are exposed as the result of a retail breach.” In just the opening line, I can cite four facts that contradict the single point made. First, what are the real costs to the issuer? Key word here, “real” costs, not “inflated for a profit.” Let’s see: $2 for the plastic, $1 mailer, $1 postage, a generous $4 for labor and overhead. That works out to $8 total and these numbers are grossly padded. So why do I see reports by issuers claiming $25-$75 “cost” to replace a card? Can you say exaggerated?
Second, most of the payment card information stolen from merchant breaches is used for fraudulent card-not-present/e-commerce transactions. Most card-not-present fraud is charged back to the merchant even though the issuer issued an authorization code. The issuer has little or no liability for these fraudulent card-not-present transactions. Instead, merchants bear the cost burden. Maybe e-commerce merchants should band together and ask Congress to force issuers to honor the authorization codes they issued–the issuer should be more responsible (and liable) here.
Third, merchants are fined by the card brands for breaches. Reading this post you would think the merchant simply says, “Oops, my bad,” and continues on without penalty as if nothing happened. Wrong. Merchants are fined (technically, their acquirer is fined and then passes it on), not just as the result of a breach, but also as the result of not being PCI compliant (which, in theory, is to prevent a breach).
Since PCI’s inception (and even before), the card brands have argued that the fines paid by a breached merchant (OK, “reimbursement”) are used to cover card replacement and other costs. This would indicate that the issuer gets a significant portion of these fines. If the issuer is not part of the fine revenue stream, then they should take this up with the card brands, not the merchants.