= Subscriber content; or subscribe now to access all American Banker content.

Broken Payment System Guarantees Another Breach Like Target's

Comments (11)

In the wake of the Target breach, I am struck by the almost universal lack of understanding of the essential issues at hand. Consumers are the primary victims, but merchants take a hit, too. Why? Because our payment system is broken and does not have real security in place because the credit card companies that control the system can push the costs of fraud onto retailers.

To fully understand the magnitude of the systemic failure manifested in the Target breach, one needs to understand the "product" at the source of the breach: credit and debit cards. The two largest brands, Visa (NYSE: V) and MasterCard (MA), control all of the elements related to the operation of their card networks – including the swipe fees, the largest part of what merchants are charged to accept the cards, how consumers' account information is protected and who pays for fraud. For doing that, Visa and MasterCard reaped a collective $8.1 billion in profits over the past 12 months, with minimal exposure to any financial loss related to security flaws in their products – like those that caused the Target breach.

Merchants have precious little say in how the card products in the consumer's wallet are protected from theft, even though trade association studies have found merchants cover most losses from credit card fraud. While Visa and MasterCard dictate card security and allow transactions to proceed without authentication or encryption, they have little real interest in implementing effective security because they don't absorb many fraud losses.

In other words, doing what is right would cost Visa and MasterCard without adding to their revenue. So they don't bother.

Some pundits disingenuously blame the Durbin amendment to the Dodd-Frank Act. Durbin's courageous attempt at curbing the runaway societal costs of the debit payment system paid to the largest banks has no direct financial impact on Visa and MasterCard. In fact, under Durbin, merchants paid $250 million in special interchange fees over the past year to the largest banks covered by the Durbin amendment to "innovate" data security methods that better protect the consumer. Any contention that Durbin may have financially hamstrung issuing banks (the fewer than 200 covered under Durbin) from doing the right thing is just wrong.

Merchants have invested tens of billions of dollars over the past five years in securing the estimated 12.6 million "endpoints" where consumers transact as part of the card brands' mandates for improved data security. But much of that money was spent just to comply with Payment Card Industry security standards. PCI is controlled by the major card companies and, instead of focusing on the most effective anti-fraud systems possible, such as simply requiring the use of PIN, PCI focuses on pushing costs onto merchants. Target was in compliance with PCI standards. Clearly that wasn't enough.

While it is easy to vilify Target, the retailer is a victim along with consumers. We're all hurt by the major card companies devaluing security because they push the costs onto merchants. The card companies' refusal to take on real card security has made the U.S. more vulnerable and fraudsters around the world know it. Our country is a magnet for fraud even though we pay the highest swipe fees in the industrialized world. Real card security standards need to come from an objective source, such as a standard-setting organization or regulator, not the card companies, if we are ever going to turn around our dismal results.

Doug Kantor is counsel for the Merchants Payments Coalition.


(11) Comments



Comments (11)
Add your comments here.
Posted by choffman1 | Thursday, January 09 2014 at 2:34PM ET
I would argue that the cost of fraud is not pushed to retailers, but rather, in the case of fraud on debit cards, to the financial institution who issued the card. Merchants (retailers) have minimal responsibility for the cost of fraudulent transactions.
Posted by Delmari | Thursday, January 09 2014 at 2:40PM ET
Mr. Kantor fails to point out it was Target's systems that were compromised, not Visa or MasterCards. I agree with Delmari that the cost of fraud is not pushed to retailers. Card issuers bear the burden of card fraud.
Posted by Lifetimer | Thursday, January 09 2014 at 5:19PM ET
Mr. Kantor raises very good points and I agree that merchants do take a lot of the fraud (the reason many times is that they have to approve a transaction when online is not possible and of course the entire CNP world). I do agree that PIN is a good security feature but PIN alone will not help. We know that today magstripe PIN debit is not secure and the only reason they are not getting the major fraud is that the same card can be used with signature (so why bother with PIN). PIN needs to be implement along side a dynamic security and the only viable option is EMV. I think if we use PIN we should use offline PIN so that merchants don't store them (even if they are encrypted) and this way we get the best level of security for the card present space. Card companies do set standards and they have done well with EMV and they are now requiring this in the US although there is a lot of resistance from everyone. So I think once we get EMV on its way in the US we can focus more on the CNP where the industry is craving a real security solution - some are out there and surprisingly enough they have nothing to do with encryption and tokenization and more with dynamic security which will put most of the cost on the issuers and not the merchants!
Posted by JustdoEMV | Friday, January 10 2014 at 9:52AM ET
Mr. Kantor, counsel for the merchants, fails to note that financial institutions pay a steep price for fraud. His critique of being "disingenuous" could equally be applied to his assertion that retailers bear the brunt of fraud. Also, why do retailers so readily accept cards? Clearly cheaper to process than cash and checks, so retailers are benefiting as well from the system. They are not victims of the networks as Mr. Kantor seeks to portray them. Benefit brings accountability for all parties involved.
Posted by rkf | Friday, January 10 2014 at 9:52AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.