Who Really Pays For Weak Retail Security?
Written by Evan SchumanAs legislation moves through the Massachusetts legislature–and is threatened to be introduced into the U.S. House of Representatives–assigning responsibility for retailers if they have a data breach that is found to be their fault, former federal prosecutor Mark Rasch makes an interesting observation.
While the debate has focused attention on the banking lobby’s position that they foot the bill for the losses due to retail errors, he counters that, ironically, it ends up being the retailers–as a group–who pay for retail security violations.
No, we’re not talking about retailers having to pay higher card interchange rates to pay for the fraud. That’s true, but there’s a much more real cost. When a cyberthief steals data from TJX, that thief will quickly try and convert it into spending money, most likely via a fraudulent card-not-present purchase that is quickly converted into cash.
Those fraudulent purchases are usually made at retail locations. When those charges are reversed by the banks, it’s the retail victim that often ends up paying for that merchandise. If there was justice in the world, the thief who steals data from TJX would then make fraudulent purchases at TJX, but data thieves?who tend to have a poorly developed sense-of-the-ironic?often make their bad purchases anywhere but the retailer from whom they stole the data.
But wait, this gets even more perverse. If you take the scenario to the next logical step, it means that a TJX would indeed get punished when, let’s say, cyber thieves break into the databases of CircuitCity or RiteAid and then use that information to make fake purchases at Marshalls or TJ Maxx.
In an Orwellian twist, a retailer would fare best by comparison as long as every other retailer has a better security setup. Talk about retailers having to pay for the sins of their brothers.
-Dan Stiel
February 23rd, 2007 at 11:42 am
If we’re talking about who ultimately pays more it’s obviously the consumer. Regardless of any legislation the consumer is at the bottom of this feeding chain.
When banks are held liable then it’s the consumer that pays more in fees and through reduced margins on interest rates.
When retailers are held liable then it’s the consumer that absorbs higher prices as a result of litigation, penalties or (as described in this article) credit card fraud.
A valid point is made with respect to the irony of retailers that are “punished” by their peers’ security breaches but I believe it’s important to remember that it is consumers that ultimately foot the bill.