Data Breaches Pre- and Post-EMV Chip Compliance Requirements: What We Can Learn from Home Depot, Target, and Wendy's
Home Depot is still feeling the effects of the fallout from its 2014 data breach. As a reminder, the breach affected more than 50 million cardholders who used payment cards on its self-checkout terminals in U.S. and Canadian stores between April and September 2014. The cyber thief posed as a vendor, using the vendor's username and password to access both payment card data and customer email addresses.
The retailer announced earlier this year that it reached a settlement with dozens of banks and has agreed to pay $25 million in damages. Prior to the settlement, Home Depot had already paid approximately $134.5 million in compensation to card brands and financial institutions and $19.5 million to affected customers. On top of that, court papers estimated legal fees, including costs for lawyers, could exceed $8.7 million.
The grand total is estimated to be approximately $179 million. This tally exceeds what Home Depot reportedly put aside for the breach, which amounted to $161 million of pre-tax expenses.
The $25 million settlement is over $10 million shy of what Target settled its similar lawsuit for back in 2015. After a lot of legal back and forth, Target paid out $39 million in damages for its data breach that affected approximately 40 million customers.
Both have since taken measures to ensure hackers are not able to recreate the theft. Home Depot and Target were among the earliest of adopters of EMV chip card payment systems. All that to say, while implementation of chip card payment readers can be costly and time consuming, the potential cost of not doing so can easily rise to millions of dollars — especially now that the liability for fraud has shifted to the least EMV chip compliant party in a transaction.
In 2016, popular fast food chain Wendy's reported a similar breach affecting more than 1,000 of its franchises across the country. The attack occurred over the course of five months beginning late fall 2015 and going into early 2016. One difference between this attack and those of Home Depot and Target is that Wendy's breech occurred after the October 1, 2015 liability shift. As of that date, liability for fraudulent credit card transactions began falling on whichever party wasn't compliant with EMV standards.
Wendy's had not yet adopted the EMV chip payment systems necessary to become compliant. As a result, it is facing a class action lawsuit citing this lack of compliance as just cause for compensation.
Wendy's wasn't alone as a fast food vendor reluctant to make the shift. Because EMV chip cards take a few seconds longer to process than swipe card payments, they are viewed as a major inconvenience to many retailers whose ability to serve customers quickly is a main staple of success.
While their reluctance might be understandable to a point, fast food retailers should consider which is more of a pain — a few more seconds per transaction, or the potential to be on the hook for millions of dollars in the event of a data breach. Time will tell which option the merchants choose.