Merchant Data Breaches, the Gift that Won’t Stop Giving

The pressure is on. You’ve grabbed the last of this holiday season’s popular toy off the shelf. You race to the checkout counter, swipe your debit card, and… “declined!” Why, you wonder? Chances are, it’s because your debit or credit card information has been compromised due to a merchant whose data protection infrastructure was penetrated by fraudsters forcing your financial institution to suspend your account.

It’s a common occurrence these days, and it’s creating frustration for not only consumers but for the financial institution that provided you that card. Each day, credit unions like Eaton Family Credit Union receive a list of potentially-compromised cards due to frequent merchant-borne data breaches. It’s in our best interest to protect our members and, therefore, must cancel those debit and credit cards in the hopes of lessening the amount of fraud exposure. Often it is too late, and if our members are defrauded, we will make them whole, and promptly order and send a new card.

Credit unions not only cover the cost of fraud, but also the costs of blocking transactions, reissuing cards, increasing staff at call centers, and monitoring consumer accounts. After the Target breach in 2013, for example, credit unions were left on the hook for $30.6 million, according to estimates by the Credit Union National Association. Additionally, credit unions reissued roughly 4.6 million credit and debit cards in the aftermath. The 2014 data breach at Home Depot was larger than Target, costing credit unions an estimated $57.4 million.

Ever wondered how much cost incurred by credit unions, and, as such, their members to merchant data breaches, is repaid by merchants? Zero.

As member-owned, not-for-profit institutions, these dollars are better used for lending to consumers and small businesses in Northeast Ohio.

It also causes great reputational harm to credit unions such as ours. Each time a member is inconvenienced by card cancellation, the finger is usually pointed back at us. That’s compounded by the fact that merchants aren’t required to notify institutions like ours after a possible breach has occurred. The sooner we can identify the source of the breach, the more quickly we can inform our members and reduce the amount of fraud.

Congress needs to pass legislation that would subject merchants to the same data protection standards as our credit union and put notification standards in place. It’s time for Congress to side with consumers and credit unions in solving this costly and prevalent issue.