How Target's credit card breach could cost other ecommerce merchants $400 million

Posted by Pat Phelan on January 2, 2014

The numbers in Target's credit card breach are astronomical. Over 40 million credit card numbers have been stolen leading to a potential fine of over $3 billion for Target.

The cards are easily purchasable online right now and like many financial institutions, I have bought, without any great technical knowledge needed, a few to test our technology stack. Should you be worried ?

Yes, you absolutely should. Especially if you are travelling overseas and using a card that you used to make a purchase in a Target store. The interesting part of this story is the cards are now being used to fraudulently make purchases from online ecommerce stores and this problem is only going to get bigger. This isn't just a Target problem, TK Maxx had a theft of almost 50 million cards a few years ago and Sony have had a huge issue recently too.

Adam's card was used to make a purchase of $897.59 from Sprint the cellular carrier, who you would assume would have one the best anti fraud system on the planet.

So what happens next? If just 5% of the stolen credit cards are used to make one fake transaction before they are all cleared out of the system using the average fraudulent transaction statistic of $200 from last year you are looking at losses to e-commerce merchants of $400 million.

Here's where it gets really funny, who pays the bill here?

  • Not the customer, he/she reports it as a fraudulent transaction.
  • Not Target, whose only concession was to offer their hacked customers a small discount.
  • Not the credit card companies who issued the cards.
  • Not the merchants payment gateway provider who told them the transaction was ok after getting a signal from the issuing bank.

The merchant takes the full hit here.

  • He/she loses the goods which they shipped to the fake purchasers.
  • He/she loses the funds as the credit card companies issues an immediate demand for a refund from the merchant account issuer over which they have no control.
  • To make it even worse for every fraudulent transaction the merchant must pay $15-$20 chargeback fee.

This totally unconnected merchant who sold their goods honestly, expecting payment gets the only real pain of all this and that's just wrong.

Topics: fraud, Identity