Target data breach could be costly for payment partners

BOSTON Tue Jan 14, 2014 9:33pm EST

The sign outside the Target store is seen in Arvada, Colorado January 10, 2014. REUTERS/Rick Wilking

The sign outside the Target store is seen in Arvada, Colorado January 10, 2014.

Credit: Reuters/Rick Wilking

Related Topics

BOSTON (Reuters) - Companies that help Target Corp process payments could face millions of dollars in fines and costs resulting from the unprecedented data breach that struck the retailer over the holiday shopping season.

Investigators are still sorting through just how thieves compromised about 40 million payment cards and the information of about 70 million Target customers. But people who have reviewed past data breaches believe Target's partners could face consumer lawsuits and fines that payment networks such as Visa Inc and MasterCard Inc often levy after cyber security incidents.

Target's partners "have deep pockets and are intimately involved in certain aspects of how Target gets paid," said Jamie Pole, a cyber security consultant in Asheboro, North Carolina, who works for government agencies and the financial industry.

Fines and settlement costs could reach into the millions of dollars for individual companies, he said, though much will depend on how the ultimate liability for the breach is determined.

Boston attorney Cynthia Larose of Mintz Levin said Target would likely seek to add its partners as defendants to lawsuits already filed over the breach. "These class-action lawsuits start to bring everyone in at some point," she said.

After its systems were penetrated by hackers in the mid-2000s, retailer TJX Companies Inc agreed to pay up to $40.9 million to cover fraud costs in a settlement with Visa. Visa also issued penalties of $880,000 against Fifth Third Bancorp of Ohio, which processed transactions for TJX.

Asked about the business relationships and possible costs, Target spokeswoman Molly Snyder declined to comment, citing the ongoing investigation and pending suits. A Visa spokeswoman declined to comment. A MasterCard spokesman said the company could not discuss an ongoing investigation.

HANDLING TARGET TRANSACTIONS

Several companies are involved in any purchase from a store such as Target. A bank issues the consumer's payment card, while a separate organization known as the "merchant acquirer" handles the payment for the store, when the card is swiped. Companies such as Visa and MasterCard operate the networks over which the payment request and confirmation are sent.

Companies performing these roles for Target were identified in a research note by Robert W. Baird & Co analysts on December 19.

According to the note the merchant acquirer used by Target for credit and debit card transactions is Bank of America Merchant Services, a joint venture of Bank of America Corp and KKR & Co's First Data Corp.

A spokesman for the joint venture declined to comment, as did a spokesman for Bank of America. Bank of America is due to release earnings on Wednesday morning. A spokeswoman for First Data, Nancy Etheredge, said via email that the company "processes some transactions for one of Target's merchant acquirers" but declined to offer more detail.

The note also identified Vantiv Inc of Cincinnati as processing transactions for Target customers who type in personal identification numbers for debit transactions. It said Vantiv expected "no impact from the breach." Vantiv representatives did not return messages.

Target-branded payment cards are issued by Toronto's TD Bank Group. A spokeswoman said via e-mail that "It would be inappropriate to comment on any potential fines at this time."

One author of the Baird report, analyst Timothy Wojs, said it is too soon to predict what fines or settlement costs might result. In the past, fines by Visa and MasterCard have been insignificant to payment processors but set the stage for larger settlements to cover bank losses, he said.

FINING THE MIDDLEMEN

Fines in cyber cases have drawn some push-back from merchants. In a case in U.S. District Court in Nashville, Tennessee, specialty retailer Genesco Inc Inc is suing Visa over the $13.3 million it says Visa wrongfully collected from its banks, Wells Fargo & Co and Fifth Third.

Visa collected the money after a cyber-attack obtained payment data, though the data was handled within industry standards, according to the company's complaint.

Wells Fargo declined to comment. A spokeswoman for Fifth Third did not respond to questions. In court filings Visa defended its actions as in keeping with laws and contracts.

(Reporting by Ross Kerber in Boston; Editing by Richard Valdmanis, Peter Henderson and Lisa Shumaker)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (4)
chekovmerlin wrote:
I would hope it would cost all of them. It’s their fault for being so cheap about security and saying, “It’s a business decision and we don’t mind losing some money.” Too expensive. They don’t ever take into consideration the frustration, the hours of work, etc. that “We the people….” have to go through. All they care about is the bottom line. No thanks. I’ll never shop at Target again.

Jan 14, 2014 10:24pm EST  --  Report as abuse
Neurochuck wrote:
If the underground market sells the stolen card data by the location of the store, or from the matched customer mail address, then one could guess that crims could give themselves a working holiday in NYC or Hawaii or Aspen, with maybe a short term holiday lease address, and charge various things to some of the “local” cards.
The customers challenging the charges would then in theory be capable of doing the transactions themselves, be suspected of credit fraud, and maybe have to defend criminal charges.
No ?

Jan 14, 2014 11:42pm EST  --  Report as abuse
BlueOkie wrote:
Any customers been harmed by fraud yet? If nothing else the system will get tighter.

Jan 15, 2014 10:52am EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.