GuestView: Credit Unions Argue That Retailers Are Not Penalized When Breached. May I Ask What Planet You Live On?
Written by Steve SommersSteve Sommers is the Senior VP for applications development at Shift4 and this is a periodic GuestView on security issues.
A recent story in a popular security newsletter featured a headline that got my blood boiling and when I read the post, things only got worse. The essence of the piece involved the National Association of Federal Credit Unions (NAFCU) asking Congress to create laws to further punish victims of a breach. I assume NAFCU is hoping that whatever fines the government assesses on these merchants will be justly given to the issuers. The upshot is that merchants do not have any skin in the game when they are victims of a data breach. I vehemently beg to differ.
The original storystarted by saying that “banking institutions rarely recover the financial losses they suffer after cards are exposed as the result of a retail breach.” In just the opening line, I can cite four facts that contradict the single point made. First, what are the real costs to the issuer? Key word here, “real” costs, not “inflated for a profit.” Let’s see: $2 for the plastic, $1 mailer, $1 postage, a generous $4 for labor and overhead. That works out to $8 total and these numbers are grossly padded. So why do I see reports by issuers claiming $25-$75 “cost” to replace a card? Can you say exaggerated?
Second, most of the payment card information stolen from merchant breaches is used for fraudulent card-not-present/e-commerce transactions. Most card-not-present fraud is charged back to the merchant even though the issuer issued an authorization code. The issuer has little or no liability for these fraudulent card-not-present transactions. Instead, merchants bear the cost burden. Maybe e-commerce merchants should band together and ask Congress to force issuers to honor the authorization codes they issued–the issuer should be more responsible (and liable) here.
Third, merchants are fined by the card brands for breaches. Reading this post you would think the merchant simply says, “Oops, my bad,” and continues on without penalty as if nothing happened. Wrong. Merchants are fined (technically, their acquirer is fined and then passes it on), not just as the result of a breach, but also as the result of not being PCI compliant (which, in theory, is to prevent a breach).
Since PCI’s inception (and even before), the card brands have argued that the fines paid by a breached merchant (OK, “reimbursement”) are used to cover card replacement and other costs. This would indicate that the issuer gets a significant portion of these fines. If the issuer is not part of the fine revenue stream, then they should take this up with the card brands, not the merchants.
-Marc
June 17th, 2013 at 12:17 pm
As the foremost global organization that fully supports and promotes operational excellence for fraud, security, risk and payment professionals within eCommerce, we agree with the majority of your editorial. However, to clarify, issuers are NOT the only players who detect fraud or breaches. Many eCommerce/CNP merchants have made a significant investment, not just in data security but also in fraud recognition and prevention tools to detect fraudulent activity and purchases prior to delivery of goods or settlement of the transaction. I do not want to down play the role of issuers and instead would characterize the environment as collaborative between both parties. Happy to provide you with additional information at your leisure.
Karisse Hendrick
Merchant Risk Council
June 17th, 2013 at 1:21 pm
Good point. My mindset was focused on breach and breach prevention costs. I knew I was missing additional merchant costs but I was experiencing writers block in that section of the post. I briefly touched on this topic with my reference to “little or no liability for these fraudulent card-not-present transactions,” but I did not specify the additional costs to the merchants beyond chargebacks and service/merchandise loss.