Target (NYSE:TGT) is hoping to soon close the books on its costly 2013 data breach by negotiating a second settlement with MasterCard (NYSE:MA), similar to the deal reached with Visa (NYSE:V) this month.
The retailer reached a $67 million agreement with Visa to reimburse card issuers for costs incurred in the data breach. A previous settlement with MasterCard for $19 million fell through in May when the deal did not get enough support from the credit card-issuing banks and credit unions.
A proposed settlement of a class action suit, revealed in March, calls for Target to pay individuals up to $10,000 in damages. The deal is valued at $10 million.
The Target data breach took place during the fourth quarter holiday season of 2013 and impacted the credit card information of 40 million shoppers, and the personal data of as many as 70 million more people. It was the first of the major retail data breaches to be widely publicized.
In rejecting the previous MasterCard settlement proposal, the card issuers said the compensation for expenses related to the breach, such as card reissuance, was inadequate, Information Security Media Group's BankInfoSecurity.com reported. Instead, they continued to push for more money through a class action suit. If accepted, a new deal between Target and MasterCard would presumably end that legal action.
Visa's top issuers have accepted the card network's settlement proposal, so MasterCard is now finalizing negotiations with the retailer for a revised settlement.
In a statement provided to ISMG last week, MasterCard said it is "pleased that Target announced its settlement agreement (with Visa) yesterday. We have been working closely with Target on this from the start, and they have indicated to us that the same approach and comparable terms are being made available to MasterCard issuers. This reflects our ongoing collaborative efforts over the past few months to resolve the matter. We will now place the revised Target settlement offer in front of our customers for their consideration."
Banks and credit unions will likely accept any settlement offering a reasonable payout, said Jeff Man, a strategist with Tenable Network Security and a security evangelist. They want the media attention on the Target breach, as well as questions about payments security, to disappear. Man is a former qualified security assessor for PCI compliance.
"Conflicts of interest aside, it would behoove all of the banks, processors and card brands to quickly move to settlement," Man said. "The more common breach settlements become, the more normalized the breach recovery costs will become, which will make negotiating these settlements easier in the long run."
Avivah Litan, a financial fraud expert and analyst at Gartner, is not convinced that breached retailers should pay more to cover losses and expenses associated with breaches. This makes assessing the adequacy of settlements, such as Visa's, impossible.
"This process is totally opaque, and there is no hard information available for market observers to analyze," Litan said.
Determining what Target should pay requires knowing what the retailer has already paid in interchange and merchant fees. "Those fees are intended to be 'fair market' and competitive mechanisms to ensure there is a balance across benefits and costs incurred by both retailers and issuing banks. And the setting of those fees is anything but transparent," she said.
-See this BankInfoSecurity.com article
Retail cyberattacks drop 50% in 2014
The untold story of the Target data breach
Target: Timeline of a data breach
Target's data breach is a story with long legs
How to prevent Target-like data breaches