The squabbling over who is responsible for the massive data breach at Target stores resumed Thursday when a group representing retail banks rolled out a new set of numbers detailing how much the breach has cost banks.
The Consumer Bankers Association said in a news release that its members have now re-issued 17.2 million credit and debit cards in response to the breach or 1.9 million more than it had previously reported at a cost of roughly $10 each.
The mounting cost, the CBA said, is further proof that banks are most harmed when hackers infiltrate retailers' payments systems. The Target breach occurred at the height of the holiday shopping season and is believed to have affected as many as 110 million card users.
"When retailers say this data breach [comes] at no cost or liability to consumers they are right because it's banks and card issuers who are on the hook often at little or no cost to retailers like Target," Richard Hunt, the CBA's president and chief executive, said in a news release. "Retailers should recognize the costs of data breaches snowball with time and they should take responsibility when they are at fault."
Those are fighting words in the view of retailers. They have argued that banks and card issuers are to blame for data breaches because the cards they issue are easy targets for hackers.
They are pushing U.S. card issuers to follow the lead of issuers in Europe and other markets and replace the magnetic-stripe card with more secure smart-chip technology. In the U.K., hacking incidents are down by roughly 70% since card issuers there adopted the new technology, according to the National Retail Federation.
"As long as bank cards continue to be issued with outdated and fraud-prone magnetic stripe security, it is clear American card holders will remain largely unprotected," the National Retail Federation said in a letter to members of Congress last month.
Of course, upgrading the security of credit and debit cards comes at a huge cost, and card issuers are hesitant to make the investment. For now, they just want retailers to share in the cost of re-issuing cards.
"An entity that is responsible for a breach that compromises sensitive customer information should be responsible for the costs associated with that breach," the CBA said Thursday.