RSS Feed

Related Articles

Related Categories

Protecting banks from the coming data breach liability storm

31st May 2015 Print

The Target data breach of 2013 and the Home Depot data breach of 2014 have fueled extensive discussions about who should pay for data breaches. The players include retailers, banks who issue credit cards, and the credit card companies themselves. 

In most cases, banks foot a big portion of the bill, and the costs are especially tough for small community banks. Retailers complain that banks haven’t switched to more secure card technologies, like chip-and-PIN. In reality, it’s banks that pay for retailers who have lax data security.

Data Theft: How Banks Pay

Banks that issue credit cards stolen in retailer data breaches find themselves on the hook for two main costs. First, they have to reimburse customers for fraudulent transactions. Second, they have to issue millions of new credit and debit cards. According to the Independent Community Bankers of America (ICBA), after the Home Depot breach, community banks reissued over 7.5 million credit and debit cards at a cost of $90 million. Cost include notifying account holders, issuing actual cards, changing account numbers, and fielding an increase in customer service questions.

When consumers discover fraudulent transactions, they can limit losses to $50 so long as they report the transaction within two days. If they notice suspicious charges on a bank statement, they have 60 days to call the bank if they want to limit losses to $500. Once they report the loss, the bank has 10 days to investigate to determine whether or not a transaction was fraudulent. With fraudulent debit card transactions, customers often find themselves without funds for over a week. Banks, not retailers, bear the brunt of the customer’s frustration. For credit card customers, the inconvenience is minimal because the money doesn’t actually come out of the customer’s bank account. The credit card company can wipe way the transaction without affecting the customer’s bank balance.

Credit card companies, according to their merchant agreements, can require reimbursement for fraudulent charges and can levy fees for inadequate data security. For example, after the 2007 T.J. Maxx data breach, the retailer paid $65 million in settlement costs to Visa. These merchant agreements, however, don’t protect the banks that issue payment cards. The burden of investigating fraudulent debit card transactions and issuing new cards falls on the shoulders of banks.

What Can Banks Do to Lower Costs?

Many banks, including both larger banks and smaller community banks, partner with identity theft protection providers to offer identity theft alert tools to their customers. When customers receive instant information about potential fraud, they can reach out to banks before fraudulent transactions add up to large amounts of money. Banks can also offset some of their data-breach costs by offering identity theft services as add-on products to their customers. In addition to offering identity theft tools, banks need to push for laws that protect them from data breach losses. 


The National Retail Federation (NRF) claims that they pay for the majority of fraudulent transaction losses, and they push Congress hard to maintain the status quo concerning data breaches. The Federal Reserve reports that card issuers — the banks that serve as middlemen between credit card companies and retailers — actually bear the burden for 60 percent of debit card losses. More specifically, issuers pay for 96 percent of PIN debit card transaction losses and 54 percent of signature debit card losses. In many cases, banks can’t get this money back from merchants.

Card Tricks

When an attacker steals a customer’s card information from Target’s data center, the attacker could use the card to make purchases from Target. In those cases, banks could charge the purchase back to Target, making Target directly liable for the loss. 


In reality, the card numbers stolen from the Target breach are being used for purchases at virtually any retailer in the world. Target itself, despite paying some settlement money to credit card companies, won’t pay directly for these fraudulent transactions. Instead, those costs are borne by the banks and by the retailer who authorized the fraudulent purchase. Merchants do pay big bucks for bad publicity and restitution-related services, like credit monitoring, for their data breach victims. They don’t, however, end up paying for the fraudulent transactions themselves. 

Until laws change, banks will continue to be on the hook for lax retailer data security. Their best hope is to educate customers, offer credit monitoring solutions, and continue to push for new laws.

More Photos - Click to Enlarge

Money Thief Magician