Credit cards hacked? Who pays ‘em back?

Banks, credit unions, retailers spar over liability for breaches

A battle is brewing between banks, credit unions and retailers over who is responsible for reimbursing consumers whose credit cards have been compromised in data breaches.

Big data breaches such as those at Heartland, Target, Staples and Home Depot have drawn attention to a problem that has been around for years, but is escalating because of more sophisticated hackers and the millions of consumers whose bank accounts and personal data have been pilfered.

Financial institutions are on the hook for reimbursing their customers for fraudulent charges whether they are responsible for the breach or not. But they want merchants to chip in to cover these costs and help pay for the costs of reissuing cards when data breaches occur through their point-of-sale systems.

SPONSORED CONTENT

Exploring & expressing grief

Support groups and events, as well as creative therapies and professional counseling, are all ways in which Pathways supports individuals dealing with grief and loss.

“Right now banks are having to cover the costs, even when they are not at fault,” said Don Childears, president of the Colorado Bankers Association. “Congress needs to create a way to deal with the party that is responsible. … We don’t want to put retailers out of business, but we need statutory change. Maybe not a 100 percent reimbursement from the parties at fault, but there should be some sharing of covering reimbursements to customers.”

Many costs involved

Childears said the cost of reissuing one card is about $25, which includes the cost of the $3 to $5 card and the time it takes bank staff to identify a card that has been hacked, notifying the customer to provide instructions on what to do, generate the new card, mail and then activate it.

That can become costly in itself, Childears said, depending on the number of cards affected, but the cost becomes greater for banks when they not only take the hit on fraudulent charges but other costs cardholders face on late payments of auto-pay programs because the account has been closed for the period of time between discovering the breach and issuing the new card.

Shawn Osthoff, president of Bank of Colorado in Fort Collins, agrees there needs to be a change in who’s liable.

“Merchants need to tighten up their systems,” he said, “and be required to follow the Graham-Leach-Bliley Act,” known as the Financial Services Modernization Act of 1999. It includes requirements for protecting consumer data and breach notification, to which banking institutions must adhere. Banks and credit unions that do not comply with the GLBA data-protection requirement face civil and criminal penalties, including fines of up to $10,000 per violation. But merchants whose systems are compromised aren’t held accountable, he said.

Osthoff said Bank of Colorado is in the process of implementing chip and PIN cards, but said if banks use the more secure chip and PIN cards, in order for them to be effective, merchants must upgrade their systems.

“The cost should be paid by the party whose systems were at fault in a breach,” Osthoff said. Bank of Colorado declined to disclose how many of its customers have been affected by credit-card breaches.

Charlie Sheffield, a spokesman for the Colorado Retail Council, declined to comment on the issue but referenced a letter to the Retail Industry Leaders Association sent to credit union organizations saying that merchants already pay financial institutions extra fees for data encryption and other services.

Gary Kindle, vice president of operations for Boulder-based Elevations Credit Union, said because of Visa’s Zero Liability promise to consumers, the credit union has had to “take the hit” with recent breaches at national retail chains. The credit union declined to disclose the number of its members whose cards have been compromised or the cost incurred.

In the case of the Target breach, Kindle believes a 50/50 split to cover costs and reimbursements would be fair. “Target was a victim, too,” he said.

Courts and Congress

A class-action suit filed by a group of banks against Target to recoup millions of dollars from the recent Target breach is playing out in court.

Childears doesn’t believe any of the nearly 500 banks in Colorado’s association are taking part in class-action lawsuits, and is unaware of any legislation in the works to address the issue.

Childears said he makes a couple of trips a year to Washington to “educate politicians on issues, but we don’t want to bug them prematurely,” he said.

U.S. Rep. Ed Perlmutter, D-Colo., who represents the 7th Congressional District and sits on the Financial Institutions and Credit Cards subcommittee of the House Financial Services Committee, is monitoring and gathering information on the issue, said Ashley Hausey, a Perlmutter spokeswoman. “But right now there isn’t any proposed legislation to address the issue,” she said.

Hausey said Congress is working on legislation to address standards for more quickly notifying cardholders whose cards have been breached, which in turn would limit the damage.

Kevin Cirilli, who covers Washington politics for The Hill, wrote that Congress has been slow to take up cyber-security legislation. Most Republicans and Democrats support implementing a national data notification standard that would require retailers to notify consumers when their information had been breached.

Republicans want a standard that would allow for the industry to evolve with rapidly changing consumer technology. Democrats want a more stringent standard that they say would better protect consumers from the patchwork of lenient standards in the states.

Keeping up with technology

While technology is available to make cards harder to hack, there’s no assurance they won’t be, and banks have been slow to make the investments needed to adopt the next level of card security – chip and PIN cards, which have been widely adopted in the United Kingdom and Ireland.

On these cards, data is stored on a tiny computer chip – not a magnetic stripe – and customers punch in a four-digit PIN (personal identification number) instead of signing the screen.

Chip and signature, as the name implies, is an alternative that requires the cardholder to verify identity by signing a printed receipt rather than entering a personal identification number.

Visa and MasterCard aren’t banks and don’t issue credit cards or merchant accounts. They act as custodians and clearinghouses for their respective card brands. They also function as the governing body of a community of financial institutions, managed-services providers of IT and international organizations that set standards to support credit-card processing and electronic payments.

Chris McWilton, MasterCard’s president for North America, told Washington Post blogger Danielle Douglas, “The merchants and the banks were saying ‘I don’t need to invest in this technology. My fraud losses are manageable, and it’s too extensive to do it.’ ”

Three years ago MasterCard and Visa, and a few other credit-card companies, laid down an ultimatum that “any actor” without chip technology in place by October 2015 would have to bear the cost of fraud. But with more sophisticated hackers affecting millions of accounts, adoption may now become a priority.

Top retail credit-card breaches

eBay

Online auctioneer eBay is technically a broker between merchants and customers, not a retail outlet in its own right. However, it certainly is in the retail sector, where it has one of the world’s best-known brands. Last year, it was taken for 145 million customer accounts, currently the largest known haul of credit card data from a single targeted victim.

Heartland Payment Systems

The payment processor for a host of retail businesses had no fewer than 130 million credit card accounts stolen in 2009, in a hacking operation for which four Russians and a Ukrainian were ultimately indicted. Heartland was, in fact, only the single largest victim in this, regarded as the biggest credit-card hack of all time. The team’s other retail victims included JCPenney and 7-Eleven.

TJX

It was back in the Bronze Age of criminal hacking, in 2005, that TJX Companies, parent of the Marshalls and T.J.Maxx chains, got hit for 94 million accounts. The breach was not discovered until the next year, and Visa reported fraudulent transactions on those accounts in 13 different countries. A cybercriminal named Albert Gonzalez, called “Soupnazi,” is now serving 20 years for the crime.

Home Depot

This big-box hardware retailer has become the newest inductee into the top five after reporting that it had been breached for 56 million credit-card accounts. As John Zorabedian reports at Naked Security, losses currently are pegged at $62 million. However, the dust from this attack is only beginning to settle, and that figure is likely to rise.

Target

This big-box retailer received an unwelcome present last holiday season when it reported the theft of 40 million credit-card accounts. In all, 70 million customers had at least some of their information compromised. On top of the $240 million spent to replace customers’ cards, both sales and the company’s stock price were driven down by the resulting public fallout.

Doug Storum can be reached at 303-630-1959, 970-416-7369 or dstorum@bizwestmedia.com.