In the wake of the Target breach, I am struck by the almost universal lack of understanding of the essential issues at hand. Consumers are the primary victims, but merchants take a hit, too. Why? Because our payment system is broken and does not have real security in place because the credit card companies that control the system can push the costs of fraud onto retailers.
The two largest brands, Visa and MasterCard, control all of the elements related to the operation of their card networks — including the swipe fees, the largest part of what merchants are charged to accept the cards, how consumers' account information is protected and who pays for fraud. For doing that, Visa and MasterCard reaped a collective $8.1 billion in profits over the past 12 months, with minimal exposure to any financial loss related to card security flaws.
Merchants have precious little say in how cards are protected from theft, even though trade association studies have found merchants cover most losses from credit card fraud. While Visa and MasterCard dictate card security and allow transactions to proceed without authentication or encryption, they have little real interest in implementing effective security because they don't absorb many fraud losses. In other words, doing what is right would cost Visa and MasterCard without adding to their revenue. So they don't bother.
Some pundits disingenuously blame the Durbin amendment. Durbin's attempt at curbing the runaway costs of the debit payment system paid to the largest banks has no direct financial impact on Visa and MasterCard. In fact, under Durbin, merchants paid $250 million in special interchange fees over the past year to the largest banks covered by the Durbin amendment to "innovate" data security methods that better protect the consumer. Any contention that Durbin may have financially hamstrung issuing banks (the fewer than 200 covered under Durbin) from doing the right thing is just wrong.
Merchants have invested billions of dollars to secure the estimated 12.6 million "endpoints" where consumers transact business with their cards. But much of that money was spent just to comply with Payment Card Industry security standards. PCI is controlled by the major card companies and, instead of focusing on the most effective anti-fraud systems possible, such as simply requiring the use of PIN, PCI focuses on pushing costs onto merchants. Target was in compliance with PCI standards. Clearly that wasn't enough.
While it is easy to vilify Target, the retailer is a victim along with consumers. We're all hurt by the major card companies devaluing security because they push the costs onto merchants. The card companies' refusal to take on real card security has made the U.S. more vulnerable and fraudsters around the world know it. Our country is a magnet for fraud even though we pay the highest swipe fees in the industrialized world. Real card security standards need to come from an objective source, such as a standard-setting organization or regulator, not the card companies.
Doug Kantor is counsel for the Merchants Payments Coalition.