Investigators are still sorting through just how thieves compromised
about 40 million payment cards and the information of about 70
million Target customers. But people who have reviewed past data
breaches believe Target's partners could face consumer lawsuits and
fines that payment networks such as Visa Inc and MasterCard Inc
often levy after cyber security incidents.
Target's partners "have deep pockets and are intimately involved in
certain aspects of how Target gets paid," said Jamie Pole, a cyber
security consultant in Asheboro, North Carolina, who works for
government agencies and the financial industry.
Fines and settlement costs could reach into the millions of dollars
for individual companies, he said, though much will depend on how
the ultimate liability for the breach is determined.
Boston attorney Cynthia Larose of Mintz Levin said Target would
likely seek to add its partners as defendants to lawsuits already
filed over the breach. "These class-action lawsuits start to bring
everyone in at some point," she said.
After its systems were penetrated by hackers in the mid-2000s,
retailer TJX Companies Inc agreed to pay up to $40.9 million to
cover fraud costs in a settlement with Visa. Visa also issued
penalties of $880,000 against Fifth Third Bancorp of Ohio, which
processed transactions for TJX.
Asked about the business relationships and possible costs, Target
spokeswoman Molly Snyder declined to comment, citing the ongoing
investigation and pending suits. A Visa spokeswoman declined to
comment. A MasterCard spokesman said the company could not discuss
an ongoing investigation.
HANDLING TARGET TRANSACTIONS
Several companies are involved in any purchase from a store such as
Target. A bank issues the consumer's payment card, while a separate
organization known as the "merchant acquirer" handles the payment
for the store, when the card is swiped. Companies such as Visa and
MasterCard operate the networks over which the payment request and
confirmation are sent.
Companies performing these roles for Target were identified in a
research note by Robert W. Baird & Co analysts on December 19.
According to the note the merchant acquirer used by Target for
credit and debit card transactions is Bank of America Merchant
Services, a joint venture of Bank of America Corp and KKR & Co's
First Data Corp.
[to top of second column]
A spokesman for the joint venture declined to comment, as did a
spokesman for Bank of America. Bank of America is due to release
earnings on Wednesday morning. A spokeswoman for First Data, Nancy
Etheredge, said via email that the company "processes some
transactions for one of Target's merchant acquirers" but declined to
offer more detail.
The note also identified Vantiv Inc of Cincinnati as processing
transactions for Target customers who type in personal
identification numbers for debit transactions. It said Vantiv
expected "no impact from the breach." Vantiv representatives did not
Target-branded payment cards are issued by Toronto's TD Bank Group.
A spokeswoman said via e-mail that "It would be inappropriate to
comment on any potential fines at this time."
One author of the Baird report, analyst Timothy Wojs, said it is too
soon to predict what fines or settlement costs might result. In the
past, fines by Visa and MasterCard have been insignificant to
payment processors but set the stage for larger settlements to cover
bank losses, he said.
FINING THE MIDDLEMEN
Fines in cyber cases have drawn some push-back from merchants. In a
case in U.S. District Court in Nashville, Tennessee, specialty
retailer Genesco Inc Inc is suing Visa over the $13.3 million it
says Visa wrongfully collected from its banks, Wells Fargo & Co and
Visa collected the money after a cyber-attack obtained payment data,
though the data was handled within industry standards, according to
the company's complaint.
Wells Fargo declined to comment. A spokeswoman for Fifth Third did
not respond to questions. In court filings Visa defended its actions
as in keeping with laws and contracts.
(Reporting by Ross Kerber in Boston;
editing by Richard Valdmanis, Peter Henderson and Lisa Shumaker)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.