Why Visa's Paying Banks More after Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/visas-paying-banks-more-after-breaches-p-1859

The debate between merchants and banking institutions over accountability
for card fraud has been a heated one for the past year and a half (see
Retail Breaches: End the Finger Pointing).

Banks say retailers should be held accountable for more expenses resulting
from breaches for which they bear some responsibility.

But retailers argue that the interchange fees they pay to the card brands
to route transactions through their networks are designed to cover
breach-related expenses. When a retailer is breached, Visa and MasterCard
pay issuers from these fees paid by retailers.

So, retailers have said that if the banks have a grievance about how they
are reimbursed for card-reissuance, they should direct their concerns to
the card brands.

Well, it seems they have.

Last week, Visa agreed to increase pay to banking institutions when they
must reissue cards in the wake of a merchant breach.

The American Bankers Association announced on May 14 that Visa had agreed
to substantially increased reimbursements to community institutions, which
typically have more difficulty than larger banking institutions when it
comes to covering all of the costs associated with fraud detection,
mitigation and card reissuance. Visa is moving to a tiered system, with
higher reimbursements for all banks, based on annual card purchase volume.

The new tiered reimbursement system will pay smaller card issuers, such as
community banks, more for the cards they have to reissue, the ABA says.

"As retailer data breaches, including those at Home Depot and Target, have
become more frequent and more damaging, banks have responded proactively by
reissuing cards - preventing millions of dollars in fraud losses," the ABA
says in its statement. "An ABA survey last year that was shared with the
card networks found that smaller banks pay significantly more to reissue."

The ABA says it's been lobbying for a year for the card brands to re-assess
their reimbursement structure. So this was a big win, from the ABA's point
of view. But so far, Visa is the only card brand to make any changes.

Rather than paying $2.50 for each re-issued card - which historically was
the rate paid to every institution impacted by a breach, regardless of the
institution's asset size or Visa transaction volume - banking institutions
with less than $500 million in annual Visa purchase volume will now be paid
$6 per for every card they have to reissue in the wake of a breach at a
merchant, according to the ABA.

Visa declined to comment about the adjusted system. But Jim Chessen, the
ABA's chief economist, says the higher reimbursements are a huge step
forward for community banks, which really take a hit when they have to
reissue cards. Chessen says smaller institutions' volume of Visa
transactions is too low for them to absorb the high expense of reissuing
cards.

"I think Visa really took a great step forward and realized that the cost
for smaller issuers was too high and very expensive," Chessen says. "The
tiered approach recognizes higher expenses for smaller-volume issuers."

Other adjustments now accounted for in Visa's tiered system:

Institutions with between $500 million and $10 billion in annual Visa
transaction volume will now receive $3.85 for each card reissued;
Institutions with more than $10 billion in annual Visa transaction volume
will receive $2.65 per card; and
In addition to the higher rates tied to a bank's size, all issuers will be
reimbursed an additional $1 for every chip card they reissue.

The changes take effect July 1 and will be applied to all card-reissuance
expenses associated with breaches that are detected after that date, the
ABA says.

MasterCard did not respond to my inquiry about whether it plans to change
any of its reimbursement allocations. But ABA's Chessen says he's hopeful
it will follow Visa's lead.

While MasterCard already reimburses card issuers based on a tiered system,
Chessen says the payout rates should be higher for smaller institutions.

"The ABA has been trying for more than a year to get Visa and MasterCard to
reconsider their reimbursement rates," he says.

Chessen says results from a July 2014 survey of 500 ABA member banks, which
were asked about the reissuance expenses they incurred after the Target
breach, garnered attention from the card brands.

"We had a lot of interest and long conversations with both Visa and
MasterCard as a result of that survey," Chessen tells me. "It was clear
that smaller issuers bear a bigger burden."

I'm surprised Visa declined to comment about this new reimbursement
structure. It's a positive step.

But given that the card brands have remained silent in the midst of all the
wrangling that's been going on between bankers and retailers, it's not
surprising that Visa wants to stay on the periphery of all the
finger-pointing.

Your thoughts on this latest move?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!