Credit Unions Help Nix Target Settlement Deal

U.S. credit unions joined other credit and debit card issuers last week in rejecting a $19 million settlement proposal from retailer Target addressing a 2013 data breach that compromised millions of Mastercard customer accounts.

In proposing its settlement to Mastercard, Target had required that 90% of the card issuers accept the offer in order for it to be final. That didn’t happen.

Basically, the issuers believe that the settlement amount is too low, and doesn’t represent the actual damages suffered when their customers’ accounts were compromised in 2013.

The conflict stems from a data breach that hit Target customers from late November to early December 2013. These customers used Mastercard debit and credit cards — issued by a number of banks and credit unions – to make holiday-season purchases at Target stores. The breach resulted in data being stolen from around 40 million of the cards.

However this turns out, a settlement in this particular case will not solve the bigger issue of who will be responsible for securing millions of credit and debit accounts against data thieves.

The Target breach was just one of several such incidents to hit major retailers in recent years, and resulted in cardholders’ personal data being stolen.

This question – of who is responsible for maintaining security – has been passed around like a hot potato among merchants (like target), payment systems/intermediaries (like Mastercard) and credit/debit card issuers (including banks and credit unions).

Each major party in the system claims that the others should be doing more to maintain security, and their bickering ultimately leaves the customer at risk of data and identity theft.

Merchants have long claimed that financial institutions take too much of a percent of each sale in the form of “swipe fees” – and argue that some of these billions of dollars should be used to introduce new security technologies, such as EMV, or chip-embedded cards to replace insecure magnetic strips.

The issuers say that retailers are the point of contact, (where the actual theft takes place), and should do more to shore up security at their end.

EMV technology is being rolled out in North America this year, so there are things being done. In addition, new mobile technologies (such as Apple Pay, which many credit unions are embracing), promise to make the entire payments process safer by keeping personal data out of the transaction loop.

In the meantime, breaches are still occurring, and customers are still being compromised. A settlement of this case will not address the core issue of security; it will merely address the institutional cash damages, after the damage to customers has been done.

With each side claiming the others should be doing more, the sad fact is that it will probably take federal government action to proscribe a comprehensive, lasting and effective solution. After all, as the Sony/North Korea data breach taught us all, the stakes in this issue go way beyond financial and identity theft.