The Target data breach has received a lot of media attention. With 110 million people affected, it is clearly a big deal. The banking industry hopes that this large breach will give policymakers an opportunity to re-evaluate the risks associated with the electronic payments system.
While this robust system processes more than 100 million legitimate transactions per day, criminals have found ways to exploit its weakest links, creating headaches for consumers and significant liability for banks that issue credit and debit cards.
As reported in the Jan. 29 article “15.3 million cards replaced, and counting,” the banking industry will incur huge losses from Target’s breach. Because card-issuing banks are liable for unauthorized transactions on consumer credit or debit card accounts, banks will invest considerable time and resources protecting their customers and themselves from fraud losses due to the breach. Despite the banks’ best efforts, losses will occur. Target officials are correct: Consumers have “zero liability” for fraud losses — primarily because the banking industry is on the hook for losses on consumer accounts.
To protect themselves, banks will issue replacement cards to consumers affected by the breach, either automatically or after account monitoring indicates fraud has occurred. Many Minnesota banks, large and small, have reissued cards. Banks pay between $12 and $15 for canceling a compromised card and for acquiring, activating and mailing each reissued card. The banking industry already has spent hundreds of millions of dollars reissuing cards.
Congress will hold oversight hearings on the breach and will consider new, enhanced security measures for the electronic payments system. The banking industry will support efforts to strengthen the security and integrity of this system. As part of those discussions, policymakers should also ensure that all the parties within the electronic payments system have incentives to do everything possible to prevent fraudulent transactions. Right now, all the parties do not.
The electronic payments system is complex, with several major players in the system. Retailers, merchant card processors, card networks (like Visa and MasterCard) and card-issuing banks all benefit from this system. All these players must be required to maintain the most up-to-date information security systems. Many retailers’ systems are lacking, and reports suggest that Target’s systems were especially vulnerable to this type of breach.
All the parties within the electronic payments system must also be given incentives to use the best possible anti-fraud procedures. Because retailers have no liability for fraudulent electronic transactions, they do little or nothing to prevent fraud at the point of sale. Most retailers do not take the time to verify a card user’s identification. Speed, not fraud prevention, is their priority. If retailers had some financial responsibility for fraudulent electronic transactions, perhaps they would be more interested in detecting and stopping these crimes.
The card networks’ operating procedures support the retailers’ desire for speedy transactions. When I swipe my card at the local grocery store, I do not have to provide a signature for transactions under $50. The retailer does not look at my card, check my signature or my identification. And no one even sees my card if I go through the new self-service checkout lines.
Processing transactions quickly is great, but these policies suggest that retailers and the card networks are not actively engaged in fraud detection and prevention at the point of sale, even though they are in a great position to do so.
Until using stolen cards is made more difficult for the criminals, we will continue to see these massive data breaches, and the electronic payments system will remain vulnerable.
Joe Witt is president and CEO of the Minnesota Bankers Association.