30 September 2016
Business Intelligence: A Tech Revolution for the Evolution in Compliance

US banks have re-issued 17.2 million cards following Target data breach

07 February 2014  |  13393 views  |  8 Credit card

The Target data breach has so far cost US banks over $172 million in re-issued plastic cards, according to figures from the Consumer Bankers' Association.

The cost to replace each card comes to an average of $10.00, with a total of 17.2 million cards substituted so far by CBA members. According to data collected from CBA member banks, the average cost to replace a credit or debit card includes: the card itself, informing consumers of a card reissuement, shipping and activating the card, and often supplemental communication via call centres and the internet.

Richard Hunt, president and CEO of the CBA, says: "When retailers say this data breach come at no cost or liability to consumers they are right - because its banks and card issuers who are on the hook often at little or no cost to retailers like Target. Retailers should recognise the costs of data breaches snowball with time and they should take responsibility when they are at fault."

He says the numbers published by CBA do not take into account any fraudulent activity which may have occurred or may occur in the future. Fraudulent activity would push the cost of the Target data breach to the industry much higher, as consumers would not be held liable.

A recent analysis by Jefferies suggested that Target could be on the receiving end of a $1 billion breach bill from the payment cards industry, working on the assumption that 4.8 million to 7.2 million of the 40 million cards affected by the breach could see fraudulent activity.

CBA has joined fellow financial services trade associations in urging policymakers to enforce tougher standards, including the establishment of a national data security breach and notification standard, a shift in liability to retailers, and better sharing of threat information.

Comments: (8)

Alexander Peschkoff
Alexander Peschkoff - TEDIPAY - London | 07 February, 2014, 10:18

With that budget and the right approach, one can populate the entire US retail with contactless EMV readers. Retailers are aware of the problem now and by striking that hot iron, it could be possible to bring EMV into the US by the end of this year.

1 thumb up! 1 thumb up! (Log in to thumb up)
Murray Chapman
Murray Chapman - Zestex Computing Limited - Amersham | 10 February, 2014, 06:17 It'd take a bit more cash than that. There's also the cost of issuing EMV cards unless you believe that the USA can go straight to mobile NFC.
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff
Alexander Peschkoff - TEDIPAY - London | 10 February, 2014, 07:36 I didn't count the card re-issue costs: once the retail infrastructure is in place, there are several ways to get card cost either greatly reduced (indeed using mobile phones - not necessarily with NFC - as part of the equation) or "absorbed" via an alternative business model (e.g. shared SE).
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Gerhard Schwartz
Gerhard Schwartz - Hewlett-Packard - | 10 February, 2014, 08:27

While EMV certainly helps greatly in the fight against fake cards, it should be noted that EMV would not have prevented the recent Target breach. The card details were stolen while travelling "in the clear" through Windows-based POS checkout counters and store servers by some nasty malware called "BlackPOS". It did not matter at all whether that card data originated from magstripe cards or chip cards.

End-to-end encryption between the card reader and the authorization system would have helped, but this may require some changes in the current POS processes. And of course, it would greatly help if Windows and/or Linux platforms did not have those thousands of vulnerabilites. Unfortunately, getting rid of those is a dream that probably will never come true ... 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff
Alexander Peschkoff - TEDIPAY - London | 10 February, 2014, 08:39

Gerhard, the simplest way to solve the issue of card data is to (a) use EMV in physical retail and (b) use token-based payments online. That way any card data which can be intercepted in retail is useless to the attacker.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Gerhard Schwartz
Gerhard Schwartz - Hewlett-Packard - | 10 February, 2014, 09:35

@Alexander: Fully agreed, doing both EMV and tokenized electronic payments with end-to-end encryption would solve the problem. I'm all for EMV - but some people seem to believe that issuing chip cards alone would help, and unfortunately this is not the case.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Nick Collin
Nick Collin - Collin Consulting Ltd - London | 10 February, 2014, 11:04

@Gerhard - the point of EMV chip is not to stop the data being stolen in the first place but to render the stolen data useless to the fraudster.  It's easy to use stolen data to produce a countefeit mag stripe card but very difficult to use that data to produce a chip card.  And every chip transaction generates a unique cryptogram so it's immediately obvious whether the card is genuine or fake as soon as it's used at an EMV terminal.  It's in that sense that the Target data breach would not have been a major problem if the US had completed its migration to EMV chip.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Gerhard Schwartz
Gerhard Schwartz - Hewlett-Packard - | 10 February, 2014, 11:59

@Nick: Fully agreed, it is very hard to produce fake chip cards, so with EMV fully implemented worldwide the problem would be much smaller. But fraudsters are likely to move over to card-not-present situations (online shopping, buying via call centers etc.) where card data that has previously been transmitted "in the clear" via a POS network can still lead to significant fraud.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

South Korean card firms suspended over data breach

South Korean card firms suspended over data breach

03 February 2014  |  4661 views  |  0 comments | 5 tweets | 6 linkedin
Neiman Marcus says 1.1 million cards compromised; Michaels Stores latest to report breach

Neiman Marcus says 1.1 million cards compromised; Michaels Stores latest to report breach

27 January 2014  |  5284 views  |  0 comments | 8 tweets | 5 linkedin
Texas police make Target data breach-related arrests

Texas police make Target data breach-related arrests

21 January 2014  |  3566 views  |  0 comments | 1 linkedin
Russian teen accused of writing Target malware

Russian teen accused of writing Target malware

20 January 2014  |  5916 views  |  4 comments | 8 tweets | 10 linkedin
Citi replaces all debit cards involved in Target breach

Citi replaces all debit cards involved in Target breach

16 January 2014  |  5787 views  |  0 comments | 7 tweets | 7 linkedin
Target raises numbers hit by data breach from 40 million to 70 million

Target raises numbers hit by data breach from 40 million to 70 million

10 January 2014  |  5458 views  |  1 comments | 11 tweets | 6 linkedin
Credit Union lobby urges Congress to act on retailer data security failings

Credit Union lobby urges Congress to act on retailer data security failings

20 December 2013  |  5925 views  |  1 comments | 3 tweets | 9 linkedin
Target says 40 million cards may have been compromised in data breach

Target says 40 million cards may have been compromised in data breach

19 December 2013  |  9451 views  |  2 comments | 11 tweets | 12 linkedin
Connecticut resorts to cheques for tax refunds after JPMorgan Chase data breach

Connecticut resorts to cheques for tax refunds after JPMorgan Chase data breach

17 December 2013  |  4164 views  |  0 comments | 3 tweets | 2 linkedin
Connecticut hits Citi with fine over card data breach

Connecticut hits Citi with fine over card data breach

02 September 2013  |  10607 views  |  0 comments | 8 tweets | 4 linkedin
Corporate data breaches increasingly correlated with consumer fraud reports

Corporate data breaches increasingly correlated with consumer fraud reports

07 June 2013  |  4908 views  |  0 comments | 5 tweets | 1 linkedin
Full extent of FIS data breach comes to light

Full extent of FIS data breach comes to light

04 June 2013  |  13859 views  |  0 comments | 10 tweets | 9 linkedin
US supermarket data breach exposes 2.4m cards

US supermarket data breach exposes 2.4m cards

16 April 2013  |  9455 views  |  3 comments | 13 tweets | 5 linkedin
Retailer sues Visa over data breach penalties

Retailer sues Visa over data breach penalties

12 March 2013  |  9035 views  |  0 comments | 12 tweets | 4 linkedin

Related blogs

Create a blog about this story (membership required)
Find out moreVisit www.abe-eba.euVisit VocaLink.com

Top topics

Most viewed Most shared
RBS tests demonstrate ability of Ethereum to support a national domestic payments systemRBS tests demonstrate ability of Ethereum...
14544 views comments | 55 tweets | 48 linkedin
Ripple rudely gatecrashes Sibos partyRipple rudely gatecrashes Sibos party
9963 views comments | 31 tweets | 30 linkedin
Swift beware: Ripple signs banks to global payments steering groupSwift beware: Ripple signs banks to global...
9166 views comments | 33 tweets | 18 linkedin
BNP Paribas is working with clients on blockchain deploymentBNP Paribas is working with clients on blo...
7532 views comments | 14 tweets | 30 linkedin
US gets same day ACHUS gets same day ACH
7040 views comments | 23 tweets | 20 linkedin

Featured job

Find your next job