Digital Transactions Authoritative, insightful and timely information for payments professionals
By Jim Daly
Continuing its effort to get a massive data breach behind it, discount retailer Target Corp. announced Wednesday a $19 million settlement with MasterCard Inc. to compensate banks and credit unions for the fraud and card-reissuance costs they incurred for their MasterCard-branded credit and debit cards affected by the breach Target reported in December 2013.
Under the agreement, Target will fund up to $19 million that MasterCard will use to make so-called alternative recovery offers to individual issuers based on their Target-related expenses. Upon accepting the offer, each issuer will release MasterCard, Target and its merchant-acquiring banks from all claims related to the data breach, including remaining class-action lawsuits in federal court, according to Target.
The settlement is contingent on issuers representing at least 90% of the eligible MasterCard accounts accepting their alternative recovery offers, either directly or through their sponsoring issuers, by May 20, MasterCard said. Assuming the settlement is approved, issuers will be paid by June 30.
“We believe this settlement provides our issuers a reasonable resolution of the Target data-breach event,” Eileen Simon, chief franchise integrity officer at MasterCard, said in a news release. “The timely reimbursement of costs and losses under the agreement delivers MasterCard issuers a faster and more certain resolution to the event, while reinforcing our commitment to maintain the integrity of industry security standards.”
Minneapolis-based Target said a total of 40 million payment cards were compromised by the breach. How many were MasterCards, and how many issuers were affected, is unknown. Spokespersons for MasterCard and Target did not respond to Digital Transactions News inquiries Thursday morning. The breach also compromised non-card data on 70 million customers.
Target said that the cost of the MasterCard settlement already is reflected in its financial statements. The company’s annual report for fiscal 2014, ended Jan. 31, 2015, says that since the breach began, Target has incurred total expenses of $252 million. Target expects $90 million in insurance reimbursements, bringing its net expense to $162 million.
“We are hopeful that Target’s agreement to pay up to $19 million to settle the claims of MasterCard and its issuers will result in a high level of issuer acceptance,” Scott Kennedy, Target’s president of financial and retail services, said in a statement. “Target intends to continue to defend itself vigorously against any assessments made by MasterCard on behalf of MasterCard issuers that do not accept their offers.”
MasterCard said that issuers that don’t accept settlement offers “will have their claims determined by MasterCard internal processes” and could receive more or less than the amounts available through the settlement. Those amounts will depend “on various factors,” MasterCard said, “including MasterCard’s final determinations of their claims and the outcome of any litigation that Target may file to challenge claim awards to issuers outside of this settlement.”
The Target breach was unusual in that many issuers quickly replaced potentially compromised cards even if they hadn’t detected any fraud. Re-issuance can cost a large issuer $3 to $5 per card, according to data-security analyst Julie Conroy, research director at Boston-based Aite Group LLC.
Target is negotiating a settlement with Visa Inc., according to press reports. Last month, the company settled breach-related consumer litigation for $10 million.
