Banks Seek to Shift Data Breach Liability to Retailers

safe-913452_1280On September 2, 2014 credit and debit card data stolen from Home Depot customers went on the online black market.

Within three minutes from the time the data went on sale, $100,000 in fraudulent charges were made to cards issued by a single small credit union in California.

By the time Home Depot announced the breach on September 8, about 56 million sets of credit and debit card data had been stolen, and much of it was resold and used to commit fraud.

As reported by the New York Times, total losses to financial institutions due to the Home Depot breach are unknown, but are estimated to be billions of dollars.

Home Depot reported that its own expenses due to the breach were over $232 million, partly offset by $100 million in insurance coverage.

Shifting the Risk

Traditionally, when data breaches that expose consumer card data happen at the retail level (including at the point-of-purchase) the liability for the losses is largely assumed by the financial institutions that issue the cards.

However, that’s now changing – in part because of lawsuits.

As we discussed in our very first blog, Target Corp. admitted that it detected the cyber-attack that led to the theft of information on 40 million cards but delayed taking action.

The amount of fraud committed due to that 2013 breach still isn’t known almost two years later. Trade groups representing community banks and credit unions estimate that they spend more than $350 million to replace cards compromised due to the Target and Home Depot breaches.

Total credit card fraud losses in 2014 are estimated to be $8 billion.

Class Action

As reported by Reuters, on September 15 a US federal judge certified a class action against Target brought by several small community banks and credit unions.

The banks and credit unions will be allow to pursue their joint claims against Target for losses arising out of the disclosure of 40 million credit card numbers used by Target customers.

In August, Target agreed to pay up to $67 million to financial institutions that issued the Visa cards leaked in the breach.

The Wall Street Journal reports that Target’s working on a similar deal with Master Card.

Chip and Sign

As the Times also reported, starting in October merchants who can’t process credit and debit cards with embedded “fraud prevention” chips could become liable for fraudulent charges at their establishments.

As described by the Times, the cards with chips work as follows:

During each transaction, the chip creates a one-time code. The payment terminal then sends the code to the bank over a network like Visa or MasterCard. The bank matches it to an identical one-time code and sends verification back to the terminal.

The system, called “EMV,” has been used in Europe for years.

The cards are supposed to be “safer” because it’s harder to duplicate a chip than to copy the magnetic strip on an old-style card.

However, most of the new chipped cards will require only a signature, rather than the four-digit PIN code commonly required in Europe.

Worthless “Protection”

As the Times reported, chip-and-signature cards are far less secure than chip-and-pin cards:

“Signature is worthless as a form of authentication” at the point of sale, Mike Cook, an assistant treasurer and senior vice president at Walmart, told attendees during an electronic transactions conference in San Francisco this spring. In the cases of the Target and Home Depot breaches, he said, “not a single PIN debit card needed to be reissued in those breaches. The card number was worthless to the individual thief and fraudsters, because they didn’t know the PIN.”

Also, as the Times notes,

chip technology will not help with “card not present” fraud, such as online purchases. It also will not help with the kinds of data breaches that have embroiled retailers like Target and Home Depot.

(Emphasis added.)

Retailers are concerned that the chips will just make criminals focus more on online fraud.

As quoted in the Times,

“It’s like closing the front door but leaving the back door open,” said Mallory Duncan, senior vice president and general counsel at the National Retail Federation. “The thieves will figure out that the back door is unlocked.”

The Right Way to Do Security

Using a one-time code for data verification is a step in the right direction. However, as the news stories discussed above plainly show, the “new and improved” chip-equipped credit cards will do NOTHING to prevent massive online data breaches and fraud that are costing billions every year.

What’s needed is to introduce dynamic encryption at a level that can actually stop hackers.

To learn more about PACid’s dynamic data encryption technology and five levels of data security, please click here.