Banks want retailers to pay for data breaches

Posted by Rurik Bradbury on December 8, 2014


Last week, the New York Times reported that a judge decided that financial institutions would be able to pursue damages against Target for last year’s massive data breach that led to the exposure of credit card and personal information of hundreds of millions of Target customers.

While the Times notes that the ruling “clarifies the legal confusion between retailers and banks in data breaches,” banks were typically charged with paying back customers and replacing stolen cards.

NYT says that the Secret Service estimates that 1,000 US merchants may have been affected by similar data breaches. While a major caveat in the Target case is that Target played a “key role” in not preparing for such a breach in advance, this creates a dangerous precedent for smaller merchants. If Target -- with its massive resources -- was deemed to be “guilty” of allowing its systems to be compromised, smaller retailers and small businesses will have an even more difficult time securing their systems against data breaches from hackers.

This is a worrisome development for merchants and retailers. It opens the door for lawsuits from financial institutions who are eager to shift the blame from themselves for data breaches. This also calls into question those ever-rising Interchange Fees -- Ars Technica notes that financial institutions have justified Interchange Fees by saying that they help customers with fraud. Are Interchange Fees defensible if banks and card networks can now sue retailers for cold, hard, cash?

Banks provide outdated technology, then blame the retailers

An easy fix to combating fraud for in-store payments is chip-and-PIN, a sort of two-factor authentication for credit cards. A user must enter the correct PIN code, but the code isn’t transferred to the retailer -- the retailer simply knows if the PIN code inputted is correct or incorrect. This prevent hackers from gaining knowledge of the PIN code, which means that even if they steal the credit card information, it’s almost useless.

However, thanks to the banks, the US has been much slower to adopt chip-and-PIN technology (or chip-and-signature, which is basically the same thing but with...your signature). While banks have been issuing these cards to retail customers, the process has been slow (did you expect anything else?). Retailers and banks are supposed to be preparing for a full transition by October 2015, but many financial technology analysts find that date to be a bit ambitious.

As for e-commerce companies, they’ve been dealing with the fallout (and costs) of data breaches for a while -- in the form of chargebacks. When these stolen cards are used to commit fraud, it's the retailer who pays -- because they must repay the money to the real card-holder, and have already lost the goods that are shipped, and the fines levied by the banks for allowing a transaction with a fraudster.

The effect on e-commerce companies remains to be seen in the case of the Target breach. Hypothetically, if a hacker uses a credit card that he or she obtained from the Target breach in an e-commerce transaction, and the owner of the card was refunded the money, the e-commerce company still loses out on the sale. Can the e-commerce seller now sue Target? Can they sue the financial institutions? Probably not.

As usual, the e-commerce merchants get a raw deal and the banks get away unscathed.

Topics: ecommerce, credit card, chargebacks, Target