Target Corp. on Wednesday reported second-quarter financials reflecting its lowered expectations, but the discount retailer’s top brass also shed some light on how the massive data breach Target disclosed last December affected consumers’ applications for and usage of its private-label payment cards, particularly its debit card. Target’s results confirm that a data breach can hurt a retailer well beyond the up-front costs for fixing and fortifying computer systems, reimbursing general-purpose card issuers for fraud and re-issuance of compromised cards, and paying network fines.
“As I mentioned on the last [earnings] call, we have seen a slower trend in debit card applications since the data breach, which is leading to slower growth in sales penetration,” chief financial officer John Mulligan told analysts.
Customers’ use of Target’s debit and credit cards, dubbed REDcards, is still growing, however, with the cards accounting for 20.8% of U.S. sales in the quarter ended Aug. 2 compared with 18.7% a year earlier. Target-branded credit cards accounted for 11.1% of sales in the second quarter, up from 9.4% last year while the debit card captured 9.7%, up slightly from 9.3%.
Target first began reporting a slowdown in its cards’ growth in 2013’s fourth quarter. At Target’s first-quarter earnings call on May 21, Mulligan, who at the time was serving as interim chief executive in the wake of CEO Gregg Steinhafel’s resignation earlier that month, said the REDcards had increased their penetration of store sales by a “very healthy” 3.3 percentage points, but the growth was still “a couple of percentage points below rates we were seeing prior to the data breach.”
These trends are forcing Target to spend more to attract cardholders. Mulligan said Target “ramped up” REDcard offers to store customers in the first quarter, and more promotions took place in the second. Mulligan gave few details, but much of the effort is focused on finding new debit card holders. “We’ve taken steps to reaccelerate growth in REDcard applications, including increased activity in our stores, and we’ve begun to see improvement in REDcard issuance as a result, particularly in the last few weeks,” he said today.
It will take time, however, for new account bookings to translate into increased store-card sales penetration, Mulligan cautioned.
Target has a unique debit card that uses a variant of the decoupled model by drawing funds from the cardholder’s checking account via the automated clearing house network. The card, as well as Target’s private-label credit card issued by TD Bank USA, offers 5% off purchases, free shipping for online purchases, and an extended return period. Target also is reissuing a cobranded Visa credit card as a MasterCard. Target earlier announced that it would spend $100 million to convert its card file to the Europay-MasterCard-Visa (EMV) chip card standard.
Security researcher Larry Ponemon, chairman of the Traverse City, Mich.-based Ponemon Institute, says Target’s card promotions to restore customer confidence are yet one more expense resulting from the breach, which compromised 40 million cards and non-card data on 70 million customers. “Those incentives, minus what they consider their normal growth, could be a pretty large indirect cost of the data breach,” Ponemon tells Digital Transactions News.
Ponemon points to Sony Corp., which in 2011 revealed a two-pronged attack on its Playstation and Online Entertainment networks that compromised approximately 100 million customer accounts, including some credit card and bank-account numbers. To lure back customers, Sony embarked on an expensive marketing campaign that included discounts. “In sum total it was almost $100 per customer,” says Ponemon, adding that “it worked.”
Target today stuck to its Aug. 5 forecast that the second quarter’s breach expenses would come in at $148 million, partially offset by a $38 million insurance receivable. Breach expenses since 2013’s fourth quarter now total $236 million, with $90 million covered by insurance for a net to Target of $146 million. Target’s earnings release says the company believes it has accounted for the “vast majority of actual and potential breach-related claims, including claims by payment-card networks,” but its estimates could change. Target faces numerous lawsuits from consumers and card issuers that are in the early stages of litigation.
Ponemon had predicted Target’s direct and indirect costs could hit $750 million to $800 million, but he’s planning on a downward revision in part because its efforts to restore consumer confidence seem likely to reduce the indirect costs of lower sales and reduced card usage. “They fact that they even mention some of the less direct costs to the analysts is a pretty bold step,” he says. “I think in general the company did a very good job in handling the breach.”
Target reported second-quarter net income of $234 million, down 62% from $611 million a year earlier, on revenues of $17.4 billion, up 2% from $17.1 billion.