According to the global 2015 Cost of Data Breach Study by the Ponemon Institute, the average total cost of a data breach for the participating companies increased 23 percent over the past two years to $3.79 million. Now breach costs are likely to rise further as banks and payment processors shift more of the liability to retailers and other businesses that use credit or debit card processing. In addition to bearing more of the costs of payment card fraud, businesses are facing financial sanctions by payment processors and potential lawsuits by banks to recover other costs resulting from data breaches. Payment card fraud has often been perceived as a “victimless crime,” because consumer liability is limited, but banks and merchants are now falling victim to millions of dollars in unexpected costs. In this article, we look at the complex issues and ways that businesses can protect themselves.
Shifting the Pain of Payment Card Fraud
As cyber-crime has increased the size of data breaches, payment card fraud and other costs have increased. The New York Times reported that, when the 56 million stolen payment card numbers from last year’s Home Depot breach hit the black market, demand was so high that the dark marketplace website crashed. Within minutes of the card information being sold, a small California credit union saw fraudulent charges of more than $100,000 posted, and another bank saw $300,000 in suspicious charges in just two hours.
Banks and payment processors are not taking these losses lying down. Small financial institutions are now suing Home Depot and Target to recover costs from their massive data breaches, contending that the large retailers should have done more to detect the breaches and limit damages. While class action suits by small banks are new, lawsuits over payment processing costs from breaches are not. In 2007, TJX Companies, the owner of T.J. Maxx and Marshalls stores, settled with Visa and others for $40.9 million to cover costs associated with a large data breach. On the other hand, payment processors have also levied multi-million dollar “assessments” against breached businesses to cover their costs, and merchants are not swallowing those fees quietly. Businessinsurance.com recently reported on several lawsuits over what breached merchants claim are exorbitant fines.
Even if lawsuits don’t result, data breaches can trigger a long list of costly tasks associated with payment processing: mandatory forensic analysis of payment systems, Payment Card Industry Data Security Standard (PCI DSS) compliance fines, card replacement costs, and reassessment for PCI compliance. According to payment processor FirstData, the cost of a data breach for even a small-business merchant averages $36,000 and can exceed $50,000.
Wrestling Over Fees and Chips
According to the New York Times article, payment card fraud losses totaled $8 billion last year, so it’s little wonder that financial organizations and breached businesses are fighting over the costs. In addition to liability for fraud, two big points of contention are payment processing agreements and EMV cards. Under merchant payment processing agreements, payment processors can withhold money from merchants to reimburse banks for the costs of payment card fraud, and they can impose fees, fines, or penalties to cover other breach costs. However, Schnucks, a U.S. grocery store chain sued its payment processors over withholdings from a 2012/2013 data breach, and in 2015, a federal court ruled that the retailer’s liability was limited to $500,000 because data breaches were not explicitly mentioned in the merchant payment processing agreement as an “uncapped liability.”
EMV, or “chip”, cards are another sore point with merchants. Named (or acronymed) for Europay, Mastercard, and Visa, the three worldwide payment processors who originated the standard, EMV cards are meant to reduce payment card fraud: they transmit encrypted information, generate a unique identifier for each transaction, and the microchip makes them difficult to counterfeit. As of October 1, 2015, an alliance of leading payment processors and card issuers has declared that they will shift liability for fraud due to counterfeit or stolen cards to merchants who don’t implement EMV technology in their point of sale (POS) systems. However, the upgrade to EMV card processing is prohibitive for many small merchants (as much as half the annual profits for a convenience store, according to a New York Times article). Merchants argue that the requirement is raising their liability without offering them increased protection because card issuers are not requiring use of PINs along with the cards, so the chip technology verifies that the card is legitimate but not that it is being used by its rightful owner. (Also, EMV cards don’t prevent payment card fraud for online transactions, a favorite tactic of cyber-thieves.)
Defend, Detect, and Insure
Just because liability is shifting doesn’t mean it has to land on your business. Here are four ways you can protect yourself from increased payment processing costs in the event of a data breach:
- Step up data security. If you haven’t reviewed your network security lately, do it. Simple steps like network segmentation and implementing group access controls to protect sensitive data will not only help prevent or limit the size of breaches, they should also help protect you when the question of liability arises. A white paper from the EMV Migration Forum advises that in general, “the party supporting the most secure technology for each fraud type will prevail in a chargeback; and in case of a technology tie, the fraud liability as of October 2015 generally is expected to remain as it is today – with the [card] issuer.” In other words, if you can prove you have the best protection, you don’t end up holding the bag. (MerchantMaverick also advises making the switch to EMV POS terminals, as they are likely to become a check-off item in liability assessments.)
- Monitor for privacy and security incidents and report them promptly. One of the assertions in the banks’ class action suit against Target is that the retailer’s security protocols failed to discover the breach, causing damages to amass for weeks.
- Carry sufficient cyber-insurance. Writing on BusinessInurance.com, legal experts Jim Whetstone of Hiscox USA and David Navetta of Information Law Group advise that: “Once an assessment is levied, the card brand acts as the judge, jury, and appellate court. . . While merchants have limited negotiating power when entering into the merchant agreements, and limited ability to challenge the assessment amounts, they often can insure themselves against this risk. Most cyber, privacy or data breach insurance policies provide coverage for the first-party costs a merchant can incur after a personal information breach, as well third-party costs for defense and settlement of liability claims.”
- Review your payment processor merchant agreement. In the wake of the Schnucks ruling and other recent decisions over payment processor fines and fees, payment processors will be revising their contracts to explicitly call out data breaches and remove caps on merchant liabilities. Businesses need to figure these into their risk analyses and make sure they are covered.
While banks, payment processors, and merchants are struggling over liability issues, the real enemy here is the criminals who steal and exploit payment card information. Payment processors are planning to implement EMV-plus-PIN security for payment cards over the next couple of years, and improved data privacy and security programs and new technologies should help merchants to mitigate the frequency and severity of data breaches. Better protection of personal financial information will reduce payment card fraud and benefit everyone, including the consumers who, through higher prices and fees, must ultimately bear the costs of this supposedly “victimless crime.”
As chief strategy and marketing officer, Doug Pollack, ID Experts, is responsible for the strategic direction and marketing of our innovative software and services. He has over 25 years of experience in the technology industry, having held senior management and marketing roles with Apple, Inc., 3Com Corporation as well as several venture-backed enterprise software startups. He holds a BS in Electrical Engineering from Cornell University and an MBA from the Stanford Graduate School of Business.
Originally posted by ID Experts Blog. Reposted with permission.