WASHINGTON – NACS and the National Retail Federation (NRF) sent a joint letter to the Senate Banking Committee and the House Financial Services Committee clarifying that merchants are the ones footing the bill for data breaches incurred at banks.
Banks have been falsely claiming that they pay for everything associated with data breaches that happen at retail establishments, and have gone so far as to ask for legislation that would require merchants to pay the banks for costs associated with data breaches. The reality is that merchants not only pay for their own data breaches multiple times over, they also pay for the banks’ data breaches. Therefore, the banks should actually be refunding money to merchants – not the other way around.
NACS and NRF are setting the record straight by communicating to Congress that when there are fraudulent payment card transactions as a result of a data breach, merchants absorb more of those fraud losses than the banks.
LexisNexis and Javelin Strategy & Research have published an annual report on the “True Cost of Fraud” each year for the last several years. The 2009 report found that, for example, retailers suffer fraud losses that are 10 times higher than financial institutions and 20 times the cost incurred by consumers. This study also covered fraudulent refunds/returns, bounced checks and stolen merchandise. Of the total, however, more than half of what merchants lost came from unauthorized transactions and card chargebacks.
James Van Dyke, founder and president of Javelin Strategy, said at the time: “We weren’t completely surprised that merchants are paying more than half of the share of the cost of unauthorized transactions as compared to financial institutions. But we were very surprised that it was 90-10.”
Similarly, Consumer Reports wrote in June 2011: “The Mercator report estimates U.S. card issuers’ total losses from credit- and debit-card fraud at $2.4 billion. That figure does not include losses that are borne by merchants, which probably run into tens of billions of dollars a year.”
NACS and NRF wrote that the bottom line is that, more often than not, a fraudulent transaction is charged back to the merchant and the merchant – not the bank – is out the money.
“Of course, some of that fraud is due to bank data breaches, some is due to merchant data breaches and some does not result from either kind of breach. Nonetheless, merchants pay for more of it overall.”
The letter pointed out one key difference when merchants have a data breach: They are required by card company rules to pay for all of the increased fraud as well as for the costs of re-issuing the payment cards involved in the breach.
“These are separate payments from the fraud chargebacks that merchants pay … So far then, merchants pay twice for fraud. They pay for the majority of the fraud through chargebacks and, if they have a data breach, merchants pay for all the fraud that results from the breach.”
However, when banks incur a data breach, they do not pay for the merchants’ fraud costs nor refund the money that merchants have already prepaid. Banks simply keep the money and let merchants absorb losses.
“Unfortunately, the payment card system in the United States is not as secure as it could or should be,” NACS and NRF wrote. Security as well as the unfairness on the cost of breaches needs to improve. When banks have data breaches, they should refund all the fees they’ve been prepaid on those accounts to the merchants that paid them, and they should pay for all the merchant fraud costs that result from those breaches. Merchants paying many times over for fraud does not make sense and should end.”