Visa Inc. has struck a settlement with Target Corp. that would reimburse Visa’s credit and debit card issuers up to $67 million for their expenses related to Target’s massive data breach in late 2013. Meanwhile, hackers who stole data from the Ashley Madison Web site have posted seven years of payment data about people hunting for extramarital affairs, according to news reports.
Visa’s settlement with the Minneapolis-based retailer was first reported Tuesday by The Wall Street Journal, citing anonymous sources.
Under Visa's Global Compromised Account Program, Target will pay 100% of issuers' eligible counterfeit-fraud and operations costs related to the breach, notably card reisussance. Unlike the proposed $19 million recovery plan MasterCard Inc. struck with Target to reimburse its issuers and which issuers rejected, this portion of the Visa plan does not require issuer approval.
Under the second part of the plan, Target will pay breach-related fraud expenses arising from transactions on Visa-branded debit cards where the transactions went over PIN-debit networks, not the Visa-owned VisaNet. To get paid under that provision, however, issuers must agree not to sue Target.
In a statement, Target said the agreement “is conditioned on a subset of issuers—representing the majority of the Visa cards that Visa determined were at risk as a result of the breach—having entered into direct settlements with Target and Visa. On Aug. 17, Visa certified that the required subset of issuers had entered into settlements for the agreement to become effective. As a result, offers are being extended to the remaining group of eligible Visa issuers using a settlement formula that would enable them to achieve the same economics as the Visa issuers that have already settled with Target and Visa.”
Visa issued a statement saying that it “has worked to help Target reach a resolution for the expenses incurred by financial institutions as result of the 2013 compromise. Nevertheless, the fact remains that data breaches are an unfortunate situation for all parties involved—especially consumers. This agreement attempts to put this event behind us, and increase the industry’s focus on protecting against future compromises with new technologies.”
Issuers rejected MasterCard's Target settlement in May because they didn’t believe the deal compensated them enough for their expenses. In addition, some financial institutions are suing Target in federal court over the breach.
Target has said that the breach affected a total of 40 million payment cards. Issuers reportedly have incurred more than $300 million on Target-related expenses in the past 18 months, including fraud costs and re-issuance of compromised or potentially compromised cards. Because of Target’s high profile, issuers whose customers had shopped at Target quickly reissued many cards even in the absence of any suspect transactions.
A statement issued by the Arlington, Va.-based National Association of Federal Credit Unions indicates a degree of issuer skepticism about the Visa-Target plan.
“This settlement may be a start but much more needs to be done to make credit unions whole,” NAFCU senior vice president of government affairs and general counsel Carrie Hunt said in the statement. “Credit unions deserve to be fully compensated for their losses.”
Target Wednesday morning reported financial results for its second quarter of fiscal 2015 ended Aug. 1, but the company made no mention of the Visa settlement and the topic did not come up in a conference call with analysts. The retailer did report spending $12 million, pre-tax, on breach-related expenses in fiscal 2015’s first six months. That’s on top of net expenses of $162 million—$252 million in cumulative costs partially offset by expected insurance recoveries of $90 million—that Target said it had incurred from the start of the breach through the end of fiscal 2014. Target says the settlement's costs are reflected in its financials.
In other payments-security news, the hacker or hackers reported in July to have broken into Avid Life Media’s AshleyMadison.com site for people looking for extramarital affairs followed through on threats to post stolen data. Among the nearly 10 gigabytes of data now online are seven years’ worth of payment transaction details according to Wired.com.
“The data, which amounts to millions of payment transactions, includes names, street address, email address and amount paid, but not credit card numbers,” Wired said. “Instead it includes four digits for each transaction that may be the last four digits of the credit card or simply a transaction ID unique to each charge.”
AshleyMadison.com had about 37 million users before the breach and was the leading site for cheating spouses looking for hook-up partners. The hackers, who call themselves “The Impact Team,” stole corporate data as well as customer logins and other information in addition to payment data.
The hackers apparently posted the data because Avid Life Media failed after the breach to take down AshleyMadison.com and a related Web site. According to Wired, they posted the stolen information Tuesday on the so-called dark Web, where it is accessible only by using the Tor browser. Unlike conventional browsers, Tor does not track users’ online activity.