Criminals have been more active of late finding ways to steal data on U.S. consumers.  Rather than trying to find ways to prevent these crimes in the future, credit unions have taken to Capitol Hill this week to blame the companies that have been victims of these crimes and try to get legislation requiring those companies to pay credit unions for the cost of re-issuing credit and debit cards.  While such opportunism is not unusual, it is unfortunate.  And, it stands in stark contrast to the actions of many other financial and retail groups which have come together to work cooperatively toward improving data and payment card security to prevent future crimes.

Most glaring to merchants, however, is what the credit unions won’t tell you – that merchants already pay for the cost of re-issuing cards and for the fraud that results from a breach multiple times.  Visa and MasterCard, the two dominant card networks, require merchants to reimburse banks and credit unions for the costs of re-issuing cards.  MasterCard, for example, provides higher per-card reimbursement rates for banks and credit unions that issue fewer cards.  The schedule also provides higher reimbursement rates for more advanced cards (like chip cards) than it does for less advanced cards (like magnetic stripe cards).  

And these forced reimbursements which already take place ignore the fact that merchants already pre-pay banks and credit unions for the cost of re-issuing cards in the event of a data breach.  The Federal Reserve rules governing debit card swipe fees, for example, specifically build the cost of re-issuing cards into its calculation of the amount of swipe fees that the largest banks charge merchants on debit transactions.  Credit unions as well as small and medium sized banks all charge far more than what the Federal Reserve allows.  And, of course, all financial institutions charge far more swipe fees on credit card transactions than the Fed allows for debit card transactions.  Are they not using that money to cover the cost of re-issuing cards even though they told the Federal Reserve that its rules had to cover card re-issuance?  Just asking the question proves the answer.  

Credit unions are prepaid the cost of re-issuing cards and then get reimbursed again for the same costs when merchants have a data breach due to Visa and MasterCard’s rules.  So, they collect the costs of re-issuing cards from merchants twice.

Not only that, but credit unions collect the costs of fraud from merchants more than once as well.  When merchants have a data breach, they are required by the card networks to pay for the costs of the fraud that results from the breach.  But, in the normal course of business, merchants already absorb more than half of the costs of card fraud through what are known as “chargebacks” – that is when merchants do not get the money on a transaction because the payment card networks decide the merchants must pay the cost of a fraudulent transaction.  This happens more than forty percent of the time on signature debit card transactions and more than half the time on credit card transactions.  And, even though financial institutions suffer thirty seven percent of data breaches while merchants suffer twenty four percent of them, financial institutions do not reimburse merchants for fraud chargebacks that occur as the result of the financial institution’s data breach.  In fact, some studies have found that merchants lose nearly ten times the amount to fraud that financial institutions do.

And all this ignores that merchants pre-pay the cost of fraud.  The Fed’s rules, for example, require merchants to pay a fee of 0.05 percent of the amount of every debit transaction on big banks’ cards to cover the costs of fraud.  This shouldn’t be the case and runs counter to the language of the law, but it happens anyway.  Merchants pay far more on all other debit transactions as well as on credit transactions.  Credit unions are collecting money to cover fraud from merchants before the fraud even happens.  

What credit unions are asking Congress is that merchants pay for card re-issuance three times over in addition to paying the cost of the actual fraud twice.  Opportunism in the face of these crimes is one thing, but trying to turn data breaches into a profit center is quite another. Frankly, the credit unions’ attempt accomplishes the remarkable feat of making mere opportunism look restrained.  

Instead of pointing fingers we should all find ways to prevent data breaches and fraud.

Beckwith is the senior vice president of Government Relations at the National Association of Convenience Stores