U.S. banks and merchants face mounting pressure to catch up with technology used in Europe, Asia and Latin America to secure credit- and debit-card data after tens of millions of Target Corp. customers were exposed.
Banks had to reissue cards and field client complaints in the weeks since Target first said data from 40 million accounts were compromised during the holiday shopping season. Lenders, retailers and other firms operating in the U.S. payments system need to cooperate with one another to prevent fraud, JPMorgan Chase & Co. Chief Executive Officer Jamie Dimon said yesterday.
"This cyber-security stuff we've now pointed out for a year is a big deal," Dimon, whose bank is the nation's largest, said during a conference call to discuss earnings. "All of us have a common interest in being protected, so this might be a chance for retailers and banks to, for once, work together."
Lenders and retailers have sparred for years over swipe fees, which help cover fraud costs. The companies also have been at odds with Visa Inc. and MasterCard Inc., the world's biggest payment networks, about converting to so-called EMV-chip technology, which more effectively thwarts hacking. With expenses mounting and U.S. lawmakers demanding explanations, firms may seek to bridge those differences and bolster data protection.
"This fraud event has created a much more significant incentive for EMV conversion than was in place previously because the scope of potential liability is so large," said Beth Robertson, an independent payments consultant who works with Javelin Strategy & Research. "It will strike more issuers and merchants that they need to make the conversion so that they don't get left holding a wide-scale loss."
EMV -- a technology named for founders EuroPay International, MasterCard and Visa -- has become a standard in Europe and much of the rest of the world. EMV chip cards are more difficult for hackers to clone, leaving holders less vulnerable, according to Jack Jania, senior vice president of Gemalto NV, one of the largest EMV technology providers.
EMV has been slower to catch on in the U.S. largely because the costs to both merchants and issuers outweigh the potential gains, according to Shirley Inscoe, a payments analyst at Aite Group LLC, a Boston-based research firm.
"They cannot make the business case" she said in a phone interview. "Converting to EMV is a huge project that is tremendously expensive for the issuers and for the merchants."
Mass reissuances of magnetic-stripe cards such as the one undertaken by JPMorgan cost about one-third of what it would cost if the cards were equipped with EMV technology, she said.
Recent breaches have cast light on the liabilities firms might face if they don't improve safeguards, said Scott Valentin, an analyst at FBR Capital Markets in Arlington, Virginia.
"Some of the reputation risk is more costly than the actual financial damages," he said. "There is now more impetus -- both from the merchants and card issuers. It accelerates the intensity for adoption."
The Target breach, which was disclosed by the company Dec. 19, occurred when a computer virus infected the retailer's point-of-sale terminals, a person familiar with the matter said last month. Target said Jan. 10 that thieves also accessed information including e-mail addresses and phone numbers for as many as 70 million people. Payments information also was compromised at Neiman Marcus Group Ltd.
Democratic U.S. lawmakers are pressing for information on Target's breach. Senator Jay Rockefeller of West Virginia, chairman of the Commerce Committee, sent a letter to Target CEO Gregg Steinhafel requesting a briefing for the panel's staff on the "circumstances that permitted unauthorized access" to card data. In the House, Maryland Representative Elijah Cummings asked Darrell Issa, the Republican chairman of the Committee on Oversight and Government Reform, for a hearing.
The U.S. accounts for almost half of $11.3 billion in annual global fraud losses on payment cards, according to the Nilson Report, an industry newsletter in Carpinteria, California. Gross fraud losses, based on $21.6 trillion in worldwide volume, amount to 5.22 cents per $100.
"The absence of EMV cards and terminals in the U.S. contributes to fraud losses" and the U.S. is the only region where counterfeit-card fraud continues to grow consistently, Nilson wrote in an August report. "Adoption of EMV at the point of sale is the strongest defense against counterfeit cards."
Visa and MasterCard have given their acquirers and issuers until October 2015 to adopt EMV or assume liability for counterfeit card transactions. Chris McWilton, president at Purchase, New York-based MasterCard, said in a Jan. 8 letter to banks that the firm will be keeping its 2015 liability shift dates in place.
"In the wake of the recent reported merchant data breach, chip technology has gained even greater interest and rightfully so," McWilton said.
Some retailers have said current plans for EMV don't address all deficiencies that lead to fraud and that requiring PIN entry, as opposed to signatures, on purchases is most effective. "Merchants welcome the opportunity to do something about the problem and are willing to make the sizable investments necessary," Merchant Advisory Group, a trade association, said in a Jan. 13 statement.
The breach also has raised questions about the use of card swipe fees, also known as interchange, which generate more than $40 billion a year for U.S. banks. MasterCard and Foster City, California-based Visa won court approval last month for a $5.7 billion settlement to end years of litigation over accusations from merchants that the companies colluded with banks in fixing the rates. Dozens of retailers, including Minneapolis-based Target and larger rival Wal-Mart Stores Inc., criticized the deal. Some said they would appeal the decision.
JPMorgan Chief Financial Officer Marianne Lake said yesterday that the impact of Target's breach on fourth-quarter results was "not significant," after the New York-based bank reported a $5.28 billion profit for the period. The firm said that it has replaced 2 million debit cards that were affected.
The costs may be more significant for smaller firms, such as Putnam Bank. Connecticut-based Putnam sued Target yesterday, claiming that the breach cost the lender money by forcing it to issue customer alerts and new cards.