Mercator Blog

Who Should Pay for Reissuing Payment Cards Post Data Breach?
Date: January 27, 2014
Research Team

Security breaches involving card data are a major headache for financial institutions, but it’s not in credit card issuers’ best interest to ask retailers to pay for card reissuance after these events.

No matter how much banks might think retailers benefit from accepting credit cards, the fact is that merchants are getting tired of what they perceive to be jumping through hoops just to get paid. For many retailers, issuers are the enemy. Point-of-sale terminals, interchange fees, compliance with PCI standards, changing industry standards (i.e., EMV)—requirements all add up. Interchange in particular has become an undeniably dirty word in merchant and regulatory circles alike.

Merchants’ frustration with card acceptance is visible in a number of ways:

  • The recent Merchant Discount Antitrust Settlement regarding surcharging (which, by the way, was the largest antitrust settlement in U.S. history) 
  • Retailers’ increasingly collaborative efforts to develop their own payment ecosystems (i.e., MCX) 
  • Their support of virtual (and interchange-free) currencies like Bitcoin 
  • Growing acceptance of alternative payment types such as PayPal at the point of sale, and 
  • Sustained interest in steering consumer to low(er) cost payment types like private label, debit, and prepaid 

Adding another cost item to payment card acceptance in the form of data breach liability will only incent retailers to ratchet up their promotion of payment products that compete directly with bankcards, not to mention the small cohort of merchants that will stop accepting cards altogether. Issuers, ideally with the help of the card networks, would be better served by working with merchants to develop solutions that make accepting card payments easier and more secure.
Follow Michael on Twitter @mikemisasi.