Target announced its selection of MasterCard to support the roll-out of chip-based REDcards as the retailer looks to bolster the security of its portfolio. But this week we also learned that the impact of the retailer’s breach is affecting the earnings of one of the country’s top prepaid card providers, Green Dot.
Information continues to trickle in regarding the effects the Target breach has had on the payments industry. In some cases, those affected weren’t necessarily issuers of traditional credit or debit cards, but prepaid card providers as well that sell products on the retailer’s shelves and elsewhere.
This issue came to light this week when Green Dot’s founder, chairman and CEO, Steven Streit, discussed the company’s first quarter earnings with analysts. During the call, Streit commented that Target’s data breach impacted the company’s top-line and bottom line results. As a precaution, he said, Green Dot suspended sales of some products and pulled them off the shelf for about 45 days during the period, and some of that inventory remains off the shelf today.
“We took these proactive measures because we wanted to ensure that products that we sell that don’t have the same type of customer-verification processes as our [general-purpose re-loadable] cards weren’t purchased by bad guys using stolen debit and credit card data,” Streit said. “So we lost those sales until we were able to get a better handle on the scope of the hack.”
As a result of suspending the card sales and the associated collateral impact of removing the products off the shelf, Green Dot experienced a loss of about 1% of revenue during the quarter, he said.
In addition, Green Dot experienced costs related to much higher-than-normal charge-offs from customers whose card data was compromised in the Target breach, Streit said, noting the company provides protections to cardholders reporting illicit card activity under Regulation E of the Electronic Funds Transfer Act. “So when a customer spotted an unauthorized transaction on their card statement, they called our customer service center, reported the disputed transaction and, if deemed to be a legitimate dispute, they were refunded the amount of the unauthorized transaction,” he said.
Additional expense came from mass reissuing of cards to customers the company believed could have been affected by the Target data breach, regardless of whether they reported a dispute, Streit said.
“So all in, we estimate the cost of refunding customers who reported unauthorized transactions, and the cost of reissuing potentially compromised accounts, cost us together around 2 points of adjusted EBITDA margin in the period,” he said.
Target Moves
On April 29, Target acted on earlier comments about pursing a chip-and-PIN strategy for its REDcards for added security, announcing plans to incorporate MasterCard’s EMV solution across the portfolio.
“Target and MasterCard are taking an important step forward in providing consumers with a secure shopping experience, and the latest in payments technology,” said Chris McWilton, president, MasterCard North American Markets. “Our focus, together with Target, is on safety and security.”
The announcement was a slap at Visa, which tested chip-based REDcards with Target a decade ago before the retailer reverted to traditional mag-stripe technology.
Visa, perhaps more so than MasterCard, has supported chip-and-signature EMV solutions, and that may have been a factor. However, during MasterCard’s May 1 first-quarter earnings call with analysts, Ajay Banga, the card brand’s president and CEO, noted that MasterCard also is flexible on the issue, commenting, though, that the issues that have affected Target “opened a whole new set of discussions around EMV and chips and signature and PIN and tokenization … .”
EMV update
In terms of market roll-outs generally, Banga stressed they will be a mix of chip and PIN and chip and signature, based partly on the types of EMV terminals merchants deploy. “It’ll depend on consumer behavior,” he added on the call. “As you know, we’ve even incented for people to have chip and PIN. But at the end of the day, we will work with what works in that environment, and that’s what we’re trying to do.”
The EMV Migration Forum announced this week that it is providing the U.S. debit industry with help implementing the EMV chip technology with the release of a technical EMV debit framework.
“The solution provides an approach for the debit card processing scenarios we know of today, so debit industry organizations can continue on the way to chip implementation with confidence,” Randy Vanderhoof, director of the EMV Migration Forum said, said in the announcement. “Overcoming chip-migration challenges impeding faster adoption is a priority for the EMV Migration Forum, and the release of this technical proposal reflects the expertise, commitment and collaboration of our cross-industry membership over the last several months.”
Heartbleed bleeds on
The Heartbleed bug that affected Open SSL security also reportedly affected older versions of Android smartphones. The Android version 4.1.1 that was released in 2012 still carries the Heartbleed flaw. And though Google has “applied patches to key Google services,” according to the company, individual wireless carriers and handset makers still need to push out the fix, Mashable reported.
Despite the potential security problems Heartbleed poses, a recent study found that only 39 percent of adults have changed their passwords. Though the bug may have affected more than 500,000 websites, including some of the highest-trafficked destinations on the Internet like Yahoo and Google, the study report suggested that the reason relatively few consumers changed their passwords is because they weren’t aware of the issue. According to a poll of 1,501 adults, only 64 percent had at least heard of the bug.