How Main Street Will Pay for Home Depot's Data Breach

Photograph by Daniel Acker/Bloomberg

Federal law protects consumers from the cost of fraudulent charges incurred when thieves steal credit-card and debit-card numbers. That’s good for the millions of Americans who had their payments data exposed by the hackers who breached Home Depot’s computer system earlier this year. And it’s bad for merchants, who often take losses on sales made to crooks with stolen cards.

When a credit-card company identifies fraud, it wipes the payment off the cardholder’s account and notifies the merchant. Unless the store can prove the payment was authorized, the credit-card company debits money from a merchant’s checking account, leaving the vendor on the hook for the cost of items that were fraudulently purchased. Merchants also pay penalties, called chargeback fees, for accepting unauthorized charges. Accrue too many chargebacks and you’ll pay higher processing fees or lose the ability to accept certain credit cards.

Those costs add up. The average merchant lost .68 percent of annual revenue to fraud in 2013, but the total cost is a multiple of that, according to a survey published (PDF) last month by LexisNexis. For every dollar lost to fraud, merchants spend a further $3.08, to replace lost inventory and cover chargeback fees and other penalties, according to the survey.

The Home Depot hack left as many as 60 million credit cards and debit cards exposed, according to a report in the New York Times. Add those to the 40 million accounts affected by a hacker assault on Target last year, plus the cards pilfered from Chinese restaurant chain P.F. Chang, luxury retailer Neiman Marcus, and others. A lot of stolen identities are floating around.

Seventy percent of stolen cards will be used for at least one transaction, says Tom Kellerman, chief cybersecurity officer at Trend Micro, a software security company. Crooks like to use stolen cards for expensive items such as consumer electronics and luxury clothing. Airline tickets, rental cars, and gift cards are also popular items.

The large-scale hacks may also lead to more of what merchants call “friendly fraud.” That’s when customers dispute charges that they incurred, and it’s more common than you’d think. Friendly fraud is more prevalent than identity theft, according to LexisNexis.

Thieves can make a sucker out of any business, says Jason Richelson, co-chief executive at ShopKeep, which sells point-of-sale software to small businesses. Before launching the startup, Richelson co-founded a Brooklyn wine shop called the Greene Grape, and recalls a customer who paid for some expensive champagnes with a credit card that couldn’t be read by the store’s swipe machine. The cashier keyed in the card number manually, making it impossible for the store to fight the chargeback notice it received by fax a week later.

In order to fight a chargeback, a merchant needs to prove that the credit card was present in the store, and that he verified the identity of the cardholder, says Monica Eaton-Cardone, chief operating officer at Chargebacks911, which helps merchants deal with credit-card fraud. That means swiping the card or taking an imprint with an old-fashioned credit-card reader, getting the customer’s signature, and checking the customer’s driver’s license.

At least brick-and-mortar business have a chance. Online merchants are responsible for virtually all fraudulent transactions, says Eaton-Cardone. “It’s like a speeding ticket,” she says. “You can go to court and try to dispute it, but chances are you’re not going to get it removed from your driving record.”