Target May Be Liable For Up To $3.6 Billion From Credit Card Data Breach

This is not exactly the merriest of times for Target. Last week the retailer revealed that credit card data from 40 million customers had been stolen. Now it looks like the giant retailer could be liable for up to $3.6 billion.

Target could face a $90 fine for each cardholder’s data compromised, which translates to the $3.6 billion liability, according to a post on the SuperMoney website.

Here’s how it breaks down. Target will already likely face all sorts of lawsuits and the added cost to assure that everything in its infrastructure is secure, SuperMoney explains. But that’s just part of it. Back in 2006, Visa, American Express, JCB, Discover and MasterCard formed the PCI Council to oversee the new Payment Card Industry Data Security Standard (PCI DSS).

The data security standard defines how organizations manage cardholder information. The standard, obviously, is meant to help reduce the likelihood of credit card fraud. Target and other vendors usually get reviewed by the PCI Council once a year to make sure they are keeping their house in order. It’s also a bit of a sham, too. The PCI Council likes to say none of those that they have certified have ever been breached. Well, not exactly. The PCI Council has retroactively revoked certification after a retailer has had a breach. Update: The PCI Council manages awareness about the the PCI Security Standards. It doe not assess compliance, nor do organizations report their compliance to the group. Enforcement of merchant compliance is managed by the individual payment brands.

Regardless, things can get pretty brutal for the retailer. They can face civil fines, suspension of credit card acceptance by a merchant’s credit card account provider and a loss of all the trust that retailers bank on so much with their customers. Four states are now asking Target questions for a potential class action lawsuit. Suddenly, the retailer’s big target logo has a whole new meaning.

But the real damage becomes apparent when the fines are added up on a per cardholder basis. Even if a company is 100 percent PCI-compliant and validated, “a breach in cardholder data may still occur,” according to the Focus On PCI website. Cardholder breaches can result in $50 to $90 fines per “cardholder data compromised.”  T.J. Maxx faced a similar dilemma in 2007 when the data from 90 million cards was stolen.

There are lots of theories for how the breach happened. But the worst part is how this affects people like you and me. The credit cards we use here in the United States for the most part have magnetic strips. All that data is being pulled off the credit cards and put on counterfeit cards that are then sold on the black market, as pointed out by security expert Brian Krebs and discussed in a post by TechCrunch’s John Biggs.

But it’s easy to pin all the blame on Target. The old-fashioned magnetic strip makes fraud so much easier for the crooks out there. Data encrypted on microchips has been used in Europe  and other parts of the world for years but the U.S. lags way behind, making it a haven for black market hackers. Encrypted microchips are not a cure-all, but it could go a long way in protecting consumers, the most vulnerable out of this whole monster mess.

[Image: Flickr/Sean Davis]