In the wake of the Target breach, I am struck by the almost universal lack of understanding of the essential issues at hand. Consumers are the primary victims, but merchants take a hit, too. Why? Because our payment system is broken and does not have real security in place because the credit card companies that control the system can push the costs of fraud onto retailers.
To fully understand the magnitude of the systemic failure manifested in the Target breach, one needs to understand the "product" at the source of the breach: credit and debit cards. The two largest brands, Visa (NYSE: V) and MasterCard (MA), control all of the elements related to the operation of their card networks – including the swipe fees, the largest part of what merchants are charged to accept the cards, how consumers' account information is protected and who pays for fraud. For doing that, Visa and MasterCard reaped a collective $8.1 billion in profits over the past 12 months, with minimal exposure to any financial loss related to security flaws in their products – like those that caused the Target breach.
Merchants have precious little say in how the card products in the consumer's wallet are protected from theft, even though trade association studies have found merchants cover most losses from credit card fraud. While Visa and MasterCard dictate card security and allow transactions to proceed without authentication or encryption, they have little real interest in implementing effective security because they don't absorb many fraud losses.
In other words, doing what is right would cost Visa and MasterCard without adding to their revenue. So they don't bother.
Some pundits disingenuously blame the Durbin amendment to the Dodd-Frank Act. Durbin's courageous attempt at curbing the runaway societal costs of the debit payment system paid to the largest banks has no direct financial impact on Visa and MasterCard. In fact, under Durbin, merchants paid $250 million in special interchange fees over the past year to the largest banks covered by the Durbin amendment to "innovate" data security methods that better protect the consumer. Any contention that Durbin may have financially hamstrung issuing banks (the fewer than 200 covered under Durbin) from doing the right thing is just wrong.
Merchants have invested tens of billions of dollars over the past five years in securing the estimated 12.6 million "endpoints" where consumers transact as part of the card brands' mandates for improved data security. But much of that money was spent just to comply with Payment Card Industry security standards. PCI is controlled by the major card companies and, instead of focusing on the most effective anti-fraud systems possible, such as simply requiring the use of PIN, PCI focuses on pushing costs onto merchants. Target was in compliance with PCI standards. Clearly that wasn't enough.
While it is easy to vilify Target, the retailer is a victim along with consumers. We're all hurt by the major card companies devaluing security because they push the costs onto merchants. The card companies' refusal to take on real card security has made the U.S. more vulnerable and fraudsters around the world know it. Our country is a magnet for fraud even though we pay the highest swipe fees in the industrialized world. Real card security standards need to come from an objective source, such as a standard-setting organization or regulator, not the card companies, if we are ever going to turn around our dismal results.
Doug Kantor is counsel for the Merchants Payments Coalition.