= Subscriber content; or subscribe now to access all American Banker content.

Broken Payment System Guarantees Another Breach Like Target's

In the wake of the Target breach, I am struck by the almost universal lack of understanding of the essential issues at hand. Consumers are the primary victims, but merchants take a hit, too. Why? Because our payment system is broken and does not have real security in place because the credit card companies that control the system can push the costs of fraud onto retailers.

To fully understand the magnitude of the systemic failure manifested in the Target breach, one needs to understand the "product" at the source of the breach: credit and debit cards. The two largest brands, Visa (NYSE: V) and MasterCard (MA), control all of the elements related to the operation of their card networks – including the swipe fees, the largest part of what merchants are charged to accept the cards, how consumers' account information is protected and who pays for fraud. For doing that, Visa and MasterCard reaped a collective $8.1 billion in profits over the past 12 months, with minimal exposure to any financial loss related to security flaws in their products – like those that caused the Target breach.

Merchants have precious little say in how the card products in the consumer's wallet are protected from theft, even though trade association studies have found merchants cover most losses from credit card fraud. While Visa and MasterCard dictate card security and allow transactions to proceed without authentication or encryption, they have little real interest in implementing effective security because they don't absorb many fraud losses.

In other words, doing what is right would cost Visa and MasterCard without adding to their revenue. So they don't bother.

Some pundits disingenuously blame the Durbin amendment to the Dodd-Frank Act. Durbin's courageous attempt at curbing the runaway societal costs of the debit payment system paid to the largest banks has no direct financial impact on Visa and MasterCard. In fact, under Durbin, merchants paid $250 million in special interchange fees over the past year to the largest banks covered by the Durbin amendment to "innovate" data security methods that better protect the consumer. Any contention that Durbin may have financially hamstrung issuing banks (the fewer than 200 covered under Durbin) from doing the right thing is just wrong.

Merchants have invested tens of billions of dollars over the past five years in securing the estimated 12.6 million "endpoints" where consumers transact as part of the card brands' mandates for improved data security. But much of that money was spent just to comply with Payment Card Industry security standards. PCI is controlled by the major card companies and, instead of focusing on the most effective anti-fraud systems possible, such as simply requiring the use of PIN, PCI focuses on pushing costs onto merchants. Target was in compliance with PCI standards. Clearly that wasn't enough.

While it is easy to vilify Target, the retailer is a victim along with consumers. We're all hurt by the major card companies devaluing security because they push the costs onto merchants. The card companies' refusal to take on real card security has made the U.S. more vulnerable and fraudsters around the world know it. Our country is a magnet for fraud even though we pay the highest swipe fees in the industrialized world. Real card security standards need to come from an objective source, such as a standard-setting organization or regulator, not the card companies, if we are ever going to turn around our dismal results.

Doug Kantor is counsel for the Merchants Payments Coalition.


(11) Comments



Comments (11)
The Merchants Payments Coalition does not plan to weigh in on the substance of any of the comments here, but did want to make sure it was clear that there was no lack of disclosure by the American Banker or Doug Kantor. The comment from Johnny Tremaine states that it should be disclosed that Mr. Kantor is "counsel for an upstart competitor to MasterCard and Visa." It appears that this comment is referring to MCX, which is a payment system founded by merchants. But Mr. Tremaine has been misinformed. Mr. Kantor is not and has never been counsel to MCX. In fact, he has never done any work for MCX or any other competitor of Visa/MC.

-Sara Durr, Spokesperson for the Merchants Payments Coalition

Posted by SDurr | Monday, January 13 2014 at 5:47PM ET
Speaking of disengenuous... The American Banker needs to exercise full disclosure here. The author of this article presents nothing less than a skewed and/or self-serving perspective. He is a counsel for an upstart competitor to MasterCard and Visa that is attempting to institute a retailer-controlled payment system. A key piece that he fails to mention (gee, I wonder why???) is that the only time a retailer has liability is when the retailer mishandles the transaction or allows the consumer information to become compromised, as Target did. This is NOT journalism. This is propoganda.
Posted by Johnny Tremaine | Monday, January 13 2014 at 12:55PM ET
I suggest Mr. Kantor's organization assist its members in protecting their environments, and then we can resume the merchant litigation storyline once customer information is safe and secure. I note that since Mr. Kantor's opinion piece was penned, there have been disclosures that the scope of the Target breach has grown to 70+ million and includes customer email information, and that additional retailers have been hacked.
Posted by dave_fortney | Monday, January 13 2014 at 10:21AM ET
Incredible! Visa MasterCard, and other so called "brands", to include what were formerly called Regional Debit Networks such as Pulse, STAR and NYCE, built the infrastructures that enable the payment systems to operate and process billions of dollars in payments. In order to do so they must strike a balance between the interest of merchants and card issuers. Similarly the processors who connect merchants to networks (brands) and issuers have also invested, and create an environment that together with the networks facilitate commerce, and have a right to expect a return. Their market valuation is, like everyone else's a function of revenues. Let's be clear then, to maximize that valuation, both; brands, and processors craft the rules of engagement between merchants and issuers in a manner largely designed to benefit the retailers and merchants to move market share and drive their own revenues. Market share, is measured by the number of payments routed through one network rather than another. Why else is merchant routing of such importance? Intrusive regulations which serve only to obfuscate the fundamental economics tip the balance and reward the merchant community by encouraging disingenuous arguments such as Mr. Kantor's. In a market free from regulations we could all choose economically sound alternatives. Merchants do not have to accept card payments, go back to "house accounts" hold the receivables, oh, wait, they could be sold to a bank at a discount, or how about cash or checks!
Posted by FAB-Montaed | Friday, January 10 2014 at 4:11PM ET
Talk about picking and choosing your facts. The major card networks have been trying to force the merchants for several years now to implement EMV chip standards with no cooperation. This would be the most agressive strike against fraud/hacking that could be taken. The big stumbling block? Merchants refuse to upgrade their card readers to EMV chip capable readers. MasterCard and Visa both have mandated 2015 as the drop dead date where EMV chip cards must behandled or face fines and other penalties. So really now, who is making their decision based on finances, and not the elimination or mitigation of fraud? Clearly its the Merchants. MasterCard and Visa spend billions on encryption and data security. Clearly they DO take fraud seriously.
Posted by CardProc | Friday, January 10 2014 at 3:23PM ET
As expected, a quite biased view from a merchant. Wonder how he might have written the article differently, or at all, had it been authored after the disclosure today of an internal Target database that exposed personal information on 70 million customers and had nothing to do with fraud.
And the contention that merchants bear most of card fraud costs is hogwash. Merchants do bear almost 100% of card not present fraud, but issuers bear most of the fraud losses associated with the card present fraud. Clearly there needs to be some better authentication methods dealing with CNP transactions as EMV does nothing in that environment, but many merchants won't invest in any of the multi-factor authentication products out in the market today.
What will really be interesting is how this breach impacts the plans of MCX and their planned merchant payment system.
Posted by Just Saying | Friday, January 10 2014 at 2:31PM ET
Mr. Kantor, counsel for the merchants, fails to note that financial institutions pay a steep price for fraud. His critique of being "disingenuous" could equally be applied to his assertion that retailers bear the brunt of fraud. Also, why do retailers so readily accept cards? Clearly cheaper to process than cash and checks, so retailers are benefiting as well from the system. They are not victims of the networks as Mr. Kantor seeks to portray them. Benefit brings accountability for all parties involved.
Posted by rkf | Friday, January 10 2014 at 9:52AM ET
Mr. Kantor raises very good points and I agree that merchants do take a lot of the fraud (the reason many times is that they have to approve a transaction when online is not possible and of course the entire CNP world). I do agree that PIN is a good security feature but PIN alone will not help. We know that today magstripe PIN debit is not secure and the only reason they are not getting the major fraud is that the same card can be used with signature (so why bother with PIN). PIN needs to be implement along side a dynamic security and the only viable option is EMV. I think if we use PIN we should use offline PIN so that merchants don't store them (even if they are encrypted) and this way we get the best level of security for the card present space. Card companies do set standards and they have done well with EMV and they are now requiring this in the US although there is a lot of resistance from everyone. So I think once we get EMV on its way in the US we can focus more on the CNP where the industry is craving a real security solution - some are out there and surprisingly enough they have nothing to do with encryption and tokenization and more with dynamic security which will put most of the cost on the issuers and not the merchants!
Posted by JustdoEMV | Friday, January 10 2014 at 9:52AM ET
Mr. Kantor fails to point out it was Target's systems that were compromised, not Visa or MasterCards. I agree with Delmari that the cost of fraud is not pushed to retailers. Card issuers bear the burden of card fraud.
Posted by Lifetimer | Thursday, January 09 2014 at 5:19PM ET
I would argue that the cost of fraud is not pushed to retailers, but rather, in the case of fraud on debit cards, to the financial institution who issued the card. Merchants (retailers) have minimal responsibility for the cost of fraudulent transactions.
Posted by Delmari | Thursday, January 09 2014 at 2:40PM ET
Add your comments here.
Posted by choffman1 | Thursday, January 09 2014 at 2:34PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.