US retail giant Target is close to reaching a settlement with MasterCard Inc. to reimburse financial institutions roughly $20 million for costs they incurred from the retailer’s massive data breach in 2013.
The deal, expected to be announced in the coming weeks, comes after months of negotiations, said sources. The $20 million covers costs that banks incurred to reissue credit cards and debit cards as a result of the breach, as well as some of the fraud that resulted from the exposure of customer information.
The payout would be roughly the same as TJX Cos. paid to MasterCard issuers in 2008 for a data breach that exposed more than 100 million cards to fraud. TJX is the parent of discount retailer TJ Maxx in the US and TK Maxx in Europe.
The settlement underscores the ongoing financial costs that are associated with a wave of data breaches that have exposed hundreds of millions of Americans to fraud over the past year. Target disclosed in a recent financial filing that it has incurred $252 million of breach-related expenses.
Target’s breach, in particular, rattled consumers because it occurred during the winter holiday shopping season. The breach compromised 40 million credit and debit card accounts.
The breach also set off a frenzy among card-issuing financial institutions as they scrambled to send new cards to customers. Some took the unusual step of reissuing cards en masse even if no fraudulent activity had been detected.
It also led to renewed calls for merchants to upgrade their terminals at the checkout line to accept cards that are embedded with a computer chip that are more difficult for thieves to replicate. Target has since upgraded its stores to accept the more secure cards that are now being issued by financial institutions.
Other merchants are also upgrading their equipment ahead of an October deadline that will shift fraud liability from banks to merchants under certain circumstances. Some merchants are saying, however, they won’t be able to meet the deadline.
Minneapolis-based Target is likely to be on the hook for more payments in the future. The company is holding similar negotiations with Visa Inc., which is larger than MasterCard, according to people familiar with the talks.
In March, Target agreed to pay $10 million to settle a consumer class-action suit tied to the breach.
MasterCard, which has been negotiating with Target on behalf of the card-issuing financial institutions, will distribute the reimbursed funds to the firms that issue credit cards and debit cards under its brand.
Citigroup Inc. is the largest MasterCard issuer with 46 million credit cards, according to the Nilson Report, a Carpinteria, Calif.-based industry newsletter. Capital One issues 43.2 million credit cards under the MasterCard brand and J.P. Morgan Chase & Co. issues 18 million.
The negotiations have been particularly difficult because the Target breach was followed by a wave of other high-profile breaches, including one at Home Depot Corp. that was even larger. During the discussions, Target representatives contended that they shouldn’t be forced to reimburse banks for reissuing cards that would have needed to be reissued anyway due to the other breaches, according to people familiar with the negotiations.