Updated: Friday, March 27, 2015
Target data breach price tag $252 million and counting
R emediation and legal challenges continue at Target Corp., in the costly aftermath of a December 2013 data security breach that compromised 40 million customers’ credit and debit cardholder data, as well as an estimated 70 million consumer email and mailing addresses. Target, in a recent statement, estimated costs of the breach to exceed $252 million in fines and legal fees, with no clear end in sight.
The newest addition to a litany of filings was announced March 26, 2015, with preliminary approval of a $10 million dollar settlement in a class action suit filed by Target customers with awards of up to $10,000 per person. Minnesota District Court Judge Paul A. Magnuson set a final hearing date of Nov. 10, the filing deadline for all claims and objections.
A separate ruling by Judge Magnuson in December 2014 paved the way for banks to sue Target, stating that the banks were the true victims in the data breach, since most consumers are fully reimbursed by banks for fraudulent charges on their credit cards. The Judge stated that the ruling’s intent was consistent with “Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.”
Claimants must prove beyond doubt
Settlement terms dictate that claimants must provide proof of expenses and/or lost time caused by the data breach. Plaintiffs can use the settlement’s web portal to submit official claim forms, which must include at least one of the following complaints to meet reimbursement eligibility requirements:
- Unauthorized charges were made on their credit or debit cards that were not reimbursed.
- Time was lost when they had to deal with unauthorized charges.
- Legal counsel or an identity protection specialist was hired to rectify credit reports or to help restore credit worthiness.
- Late fees or higher interest rates were assessed on the cardholder’s account due to unusual account activity.
- The account was frozen, closed, or access to funds was blocked or restricted.
- Additional fees were paid on payment card accounts.
After the initial large payouts are made to claimants, any remaining settlement funds will be evenly disbursed among participating members of the class action suit who did not submit proof of damages. Considering that 40 million people were potentially hacked, if all or even half of those affected chose to participate, the average check would amount to under a dollar per person.
Attorneys expect to fare considerably better than consumers in this case, as settlement terms establish a separate fund of as much as $6.75 million to be set aside exclusively for class action legal representatives.
Target joins nonprofit initiatives
Target has been generally cooperative throughout the remediation process, security analysts have said. Early on, when the company first learned of the data breach, it offered customers who shopped at its U.S. locations up to a year of free credit monitoring and identity theft protection.
Immediately following the breach, Target published a dedicated website to address the ongoing data breach investigation and reassure customers that the company was making every effort to address concerns and improve security standards. In a March 6, 2014, statement, Target stated it officially joined the FSIAC:
“Target has officially joined the Financial Services Information Sharing & Analysis Center (FS-ISAC), a nonprofit private sector initiative developed by the financial services industry to help facilitate the detection, prevention, and response to cyber attacks and fraud activity," the company stated. "Information Sharing and Analysis Centers (ISACs) were created nearly 15 years ago in several industries to help effectively share critical information. As part of its financial operations (Target Bank, a federally regulated entity), Target will now be a platinum member of the organization.”
Ralph Boelter, Target Vice President of Corporate Security, added, "The Target team is looking forward to playing an active part of the FS-ISAC and working alongside these partner organizations toward industry solutions for cyber threats."
In February 2015, Target followed Payment Card Security Data Security Standard guidelines by appointing Mike McNamara as its Chief Information Officer. McNamara, formerly with U.K. retailer Tesco, will oversee a broad effort to protect consumer data, enhance threat detection, and implement ongoing employee protocols and security training.
Target has also made changes to its executive leadership. Chief Executive Officer Brian Cornell, formerly of PepsiCo Americas Foods, has replaced former CEO Gregg W. Steinhafel. In forward-looking statements released with its March 13 annual report, the company stated it expects further litigation from state and federal regulatory bodies, including the Federal Trade Commission, Securities and Exchange Commission, and leading payment card brands.
CFPB takes on consumer lenders, card market
Wednesday, March 25, 2015
T he Consumer Financial Protection Bureau wants to get a better fix on the market for credit cards. On March 17, 2015, the federal consumer watchdog agency issued a request for public comments on how the credit card market is functioning and the impact of credit card regulations on both consumers and card issuers.
The request came on the heels of a report to Congress in which the CFPB blasted banks and other service providers for hamstringing consumers when it comes to seeking relief for disputed transactions. “Tens of millions of consumers are covered by arbitration clauses, but few know about them or understand their impact,” said CFPB Director Richard Cordray.
Mandatory arbitration clauses limit consumer remedies
Arbitration is a method for resolving disputes outside the court system. According to the CFPB’s research, in recent years many contracts for consumer financial products and services have included “pre-dispute arbitration clauses” stating that either party can require that disputes be resolved through arbitration instead of the court system. Where such a clauses exist, either party can block lawsuits, including class actions, from proceeding in court.
The 2010 Dodd-Frank Act addressed the issue by prohibiting pre-dispute arbitration clauses in mortgage loan agreements. The law also tasked the CFPB with undertaking a study of pre-dispute arbitration clauses in other consumer finance markets and to issue regulations on their use if the study finds problems.
These are some of the problems highlighted in the CFPB’s report titled Arbitration Study: Report to Congress, pursuant to Dodd-Frank Wall Street Reform and Consumer Protection Act Section 1028(a):
- 53 percent of credit card issuers include arbitration clauses, mostly large banks.
- 93 percent of prepaid card agreements studied are subject to arbitration clauses.
- 44 percent of insured checking account deposits are covered by arbitration clauses.
- Among mobile wireless carriers that authorize third parties to charge consumer accounts for services, 88 percent of carriers representing 99 percent of the market include arbitration clauses in customer contracts.
Copies of the report are available for downloading at http://files.consumerfinance.gov/f/201503_cfpb_arbitration-study-report-to-congress-2015.pdf .
Getting to know the card market
The March 17 request by the CFPB is part of an ongoing series of studies mandated by Congress under the CARD Act of 2009. The Bureau said comments received will contribute to a report scheduled to be delivered to Congress later this year.
The CFPB said it wants comments from all stakeholders about how they believe the card market is functioning and what passage of the CARD Act has or has not done for consumers. Specific areas of inquiry include:
- What, if any, changes card issuers have made in terms of pricing, marketing, underwriting and other practices, and whether those changes have benefitted consumers.
- To what extent unfair and deceptive acts and practices, or unlawful discrimination, still exist in the credit card market.
- Debt collection practices and issuer relationships with third-party collection agencies.
- Whether disclosures regarding rewards programs are clear and transparent, and what can be done to improve such disclosures.
“With today’s inquiry, the Bureau is seeking to further understand how the credit card market is working in practice and how credit card protections affect consumers and credit card issuers,” Cordray stated when introducing the request for comment. “As we undertake this review, the Bureau wants to ensure it understands the information that consumers, industry, advocates, and other stakeholders believe is most relevant.”
Copies of the CFBP’s request for comment is available for downloading at http://files.consumerfinance.gov/f/201503_cfpb_card-act-report-rfi.pdf .
Verizon study details need for improved PCI security
Monday, March 23, 2015
T he Verizon 2015 PCI Compliance Report is Verizon Communications' fourth and most extensive study of global trends in payment card security. Highlights include a review of Payment Card Industry (PCI) Data Security Standards (DSS) baseline requirements and a first-time focus on sustainable security practices.
The 84-page study explores why four out of five companies fall out of compliance after passing their PCI audits. Additionally, two thirds of the companies studied used incomplete or inadequate test scripts for their in-scope security systems.
PCI Council sounds wake-up alarm
The PCI Security Standards Council, established in 2006 by American Express Co., Discover Financial Services, JCB International Credit Card Co. Ltd., MasterCard Worldwide and Visa Inc., is an open global forum focused on developing, managing, educating, and raising awareness of the PCI DSS for increased payment data security.
Stephen W. Orfei, the PCI SSC's General Manager, called the Verizon report "a wake-up call for every business that cares about payment security," adding that despite overall progress, businesses still have a long way to go in prioritizing and implementing payment security.
Orfei acknowledged that there is no "silver bullet" to preventing security breaches and urged companies to take a "multilayered approach to security" by managing access, strengthening security at the POS and remaining vigilant to the evolving threat landscape.
The report noted a global increase in credit card spending, predicting that total world card payments will exceed $20 trillion in 2015. The PCI DSS provided the framework for the report's quantified analysis. Following are three takeaways from the report.
- Compliance is up
Overall PCI compliance increased between 2013 and 2014 for 11 of the 12 PCI DSS requirements, with an average increase of 18 percent per business.
- Sustainability is low
Less than one third (28.6 percent) of companies retained PCI compliance in the 12 months following successful validation.
- Data security is still inadequate
Verizon's viewpoint is that the PCI DSS is "a baseline, an industry-wide minimum acceptable standard, not the pinnacle of payment card security. PCI DSS compliance should not be seen in isolation, but as part of a comprehensive information security and risk-management strategy."
The report examined all 12 of the PCI DSS requirements: maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining anti-virus tools, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems and maintaining security policies.
Each requirement was reviewed according to its role in a comprehensive security strategy. The report also examined newer versions of each requirement that reflect emerging technologies and the evolving threat environment.
For example, Requirement 2 prohibits using default passwords or security parameters. This requirement has been affected by Cloud and virtual technologies.
"Requirement 2 is one of the requirements most affected by the emergence of virtualization and cloud," the report stated, referring to technologies that simplify information technology (IT) infrastructures. The introduction of new technology can pose challenges to IT professionals tasked with separating in-scope and out-of-scope systems that coexist on the same physical server.
EMV may drive fraud to card-not-present transactions
Orfei noted that the U.S. transition to EMV (Europay, MasterCard and Visa) chip technology will make 2015 a pivotal year in payments. His tone of cautious optimism is reflected in Verizon's report, which references the coming Oct. 1, 2015, liability shift for POS terminals, and Oct. 1, 2017, for automated fuel dispensers. The report pointed out that EMV is not a panacea, and suggested that experience gained from other countries shows that it displaces, rather than eliminates fraud.
EMV cards may initially increase the security of card-present transactions, and "attackers may focus their attention on 'card not present' (CNP) transactions, including online shopping," the report stated. The report also noted that banks and card issuers are developing new methods of encryption, tokenization and behavioral analytics to enhance the security of e-commerce transactions.
Becoming and remaining compliant
In addition, Verizon's 2015 report explored why companies fail to sustain PCI compliance – in many cases for less than a year after achieving successful audits.
Verizon noted the problems stem from failure to build robust procedures, which need to be not only built, but also managed and maintained, and failure to see an assessment as a snapshot that captures only a moment in time and demonstrates that a company and its selected sites, devices and systems assessed during sampling were deemed compliant.
Real payment card data security requires ongoing controls and vigilance beyond the PCI assessment. Orfei described passing an annual compliance assessment as a starting point for a implementing a broader, vigilant and proactive security program. "Only a combination of people, process and technology, and a focus on making security a 'business-as-usual' practice will help thwart these constant threats," he said.
Congressional Payments Technology Caucus a positive for payments
Friday, March 20, 2015
T he Congressional Payments Technology Caucus (CPTC), formed March 19, 2015, will expand oversight into payment technologies, data security and alternative payment schemes that exist outside the traditional banking footprint. Committee members include House Representatives Lynn Westmoreland, R-Ga., Randy Neugebauer, R-Texas, David Scott, D-Ga., and Kyrsten Sinema, D-Ariz. The representatives share an interest in consumer protection and concurrently serve on the House Financial Services Committee.
Jason Oxman, Chief Executive Officer at the Washington, D.C.-based Electronic Transactions Association hailed the newly formed caucus as an important new development for the payments industry and U.S. economy.
"As the trade association of more than 500 U.S. payments technology companies, ETA applauds the leadership of Representatives Westmoreland, Scott, Neugebauer, and Sinema and looks forward to working with caucus members to advance deployment of payments technologies that grow our economy while improving the lives of all Americans," Oxman said.
Scott Talbott, ETA Senior Vice President of Government Relations, added, "The CPTC will deepen Members of Congress' understanding of issues facing the rapidly evolving payments tech industry."
Parallel efforts continue
While the CPTC's complete agenda has not yet been revealed, its committee members will continue to work with the House Financial Services Committee on initiatives that broadly impact the payments and financial industries. The committee's far-reaching agenda addresses current legislation and new issues that surface while Congress is in session. Current legislative initiatives include: The Dodd-Frank Wall Street Reform and Consumer Protection Act, financial institutions and consumer credit, capital markets, government sponsored enterprises, housing, insurance, and monetary policy and trade.
The Dodd-Frank Act's sweeping reforms include formation of the Financial Stability Oversight Committee and the Office of Financial Research. The "Too Big to Fail" initiative is designed to end government bailouts of banks regardless of their size or influence. The Volcker Rule restricts commercial banks from investing in hedge funds and private equity. The HFSC will continue to examine "Too Big to Fail" implementation and the Volcker Rule's impact on the strength and competitiveness of U.S. capital markets.
A diverse group of HFSC subcommittees manage ongoing oversight of financial institutions and consumer credit practices. These committees cover the Consumer Financial Protection Bureau, financial supervision, capital standards and Basel III, mortgages, deposit insurance, community financial institutions, regulatory burden reduction, credit scores and credit reports, access to financial services, Operation Chokepoint, and discrimination in lending.
Cautiously optimistic outlook
CPTC members noted the accelerated pace of technology innovation and its impact on U.S. and global economies. Rep. Neugebauer sees an upside in CPTC activities in the United States and locally for constituents in the 19th District of Texas. "Many of these new technologies will help address some of our most pressing financial services challenges such as cyber and data security," he said.
Rep. Westmoreland described Georgia as a leader in both consumer payment systems and cyber security. She looks forward to representing Georgia and participating in committee activities. "Global technology is growing and changing at a rapid pace and has a dramatic effect on our consumer payment systems and cyber security," she said, adding that the CPTC will help members stay current on industry changes, provide information, and participate in crafting future legislation.
Reflecting on his role in the Financial Services Committee, Rep. Scott commented on Georgia's central role in payments, a large and diverse industry that touches every segment of the U.S. economy. "Most electronic transactions in the US pass through Georgia-based companies," he said. He also acknowledged the need to further educate fellow members of Congress on the challenges and benefits facing the payments industry such as security and consumer protections.
Rep. Sinema saw innovation as fueling the growth of small business and start-ups, while protecting consumer privacy and security. "I look forward to working with the CPTC to foster innovation, protect consumers, and support small businesses," Sinema said.
New initiative seeks common ground for advancing mobile wallets
Tuesday, March 17, 2015
C an financial institutions and merchants work together on an open, common platform for bank- and retailer-branded mobile wallets with "frictionless activation and redemption of loyalty and offers"? Mobile payment consultant Richard Crone is betting they can, and he's launching the Merchant Financial Institution Council to help bring it to fruition.
Crone described the initiative as an alternative to Apple Pay and noted that mobile wallets are an important customer touch point, especially with the millennial generation. "If you simply cede this market to Apple, Google [or other nonbanks], you will lose that touch point forever," Crone said in announcing the MFIC in early March 2015 at the BAI Payments Connect conference.
"The MFIC charter would be an inclusive and transparent working group of all the payment stakeholders dedicated to leveraging an open, common acceptance platform that includes support for retailer and bank-branded mobile wallets and tender reciprocity," Crone stated in interviews following the conference.
Tender reciprocity refers to the acceptance and provisioning of bank-issued, open-loop credit and debit cards inside retailer branded apps, and standalone mobile wallets like Apple Pay and CurrentC, as well as provisioning and access to retailers' closed-loop, private-label card and loyalty programs inside bank-branded wallets.
Banks, merchants on same page?
Crone is optimistic about the MFIC. He pointed to the positive reception he received at BAI (about 100 attendees requested additional information, he said) and preliminary conversations with organizations representing both banks and retailers.
Crone also referenced recent comments made by Andy Shober, Chief Sales and Business Development Officer at the Merchant Customer Exchange (MCX), which developed CurrentC. According to a transcript of the exchange, Shober's remarks came during a Q&A at a recent Merchant Advisory Group conference in Dallas. "I think banks and merchants have a tremendous opportunity to work together directly," Shober said. "We have customers out there. There are things that we can work on to mutual gain," according to a transcript of the exchange."
Crone believes it's time to "throw away" nondisclosure agreements. "Let's talk openly about how we can do this," he said. MFIC participants would include executives from financial institutions (both issuers and acquirers), retailers and end user organizations. "Any entity that wants to can be part of this," Crone added.
Members would work on defining business models, best practices, standards, accreditation, procedures and other factors that might impact the mutual acceptance by banks and retailers of each other's credit, debit and rewards offerings, as well as standalone mobile wallets such as Apple Pay, CurrentC and Google Wallet. "Addressing these [requirements] will allow the industry stakeholders to use the MFIC initiative to confidently take action and establish new business terms between the parties," Crone said.
Taking a bite out of Apple Pay
By working together in support of tender reciprocity, Crone believes, financial institutions and merchants can provide mobile wallets that are superior to Apple Pay. Apple has made transaction anonymity a key to the Apple Pay offering; in other words, merchants are locked out of valuable customer data flows.
"It's not about the money, but rather all the value that can be delivered before, during and after transactions," Crone said in his remarks at BAI Connect. Apple Pay doesn't deliver much value to merchants; it creates new hassles such as the need for merchants to install near field communication-enabled devices to accept Apple Pay, he noted.
Analysts at UBS Securities LLC addressed these issues in a recent report, The Empire Strikes Back: Retailers and Banks to Join Forces as Alternative to Apple Pay in 2015. "New payment approaches need retailer support, which Apple Pay largely lacks because it cannot handle ads and offers with its one-way technology," the report stated. The report pointed out that financial institutions have an economic incentive to develop products that compete with Apple Pay. "Allowing intermediaries like Apple Pay to succeed subordinates the brand, commoditizes the experience, and creates excessive fees from the perspective of issuers and merchants," it stated.
Card issuers that signed on with Apple Pay are required to pay Apple 0.15 percent of each credit card transaction and 0.5 cents for each debit card transaction initiated using the Apple Pay wallet.
View prior breaking news