It’s a case of a home improvement retail giant versus two network payment processing behemoths. In mid-June 2016, Home Depot filed an antitrust lawsuit in federal district court in Atlanta against Visa and MasterCard, alleging credit card security is inadequate and exposes retailers and customers to hacking.
- The Security Problem According to Home Depot
- Credit Card Companies’ Reactions
- The Monetary Problem According to Home Depot
- No Option
- Are PINs the answer?
- Prayer for Relief
- Visa and MasterCard Respond
The Security Problem According to Home Depot
Home Depot accuses Visa and MasterCard of being more concerned with protecting their “inflated profits and dominant market positions” than in the security of payment cards used by consumers and “the health of the United States economy.” It alleges Visa and MasterCard have pushed consumers to use payment card technology both know are defective and subject to fraud.
Further, Home Depot accuses MasterCard and Visa of creating policies forcing retailers to allow signature verification in addition to the more secure PINs. Lastly, Home Depot wants MasterCard and Visa to require customers to provide PINs, along with the physical credit card, at the time of purchase. Currently, consumers need only signature authentication. The lawsuit states, “Signatures can be copied or forged, and cashiers are not handwriting experts trained to identify forged signatures.”
Home Depot’s Prior Breach
In 2014, Home Depot suffered a majority security breach, when criminals stole the data of 56 million credit cards. Hackers gained access to a vendor’s third-party logon information. They then took advantage of the “zero-day vulnerability” in Windows, according to the SANS Institute. This permitted cyber-thieves to move to Home Depot’s corporate environment. Once inside Home Depot’s network, the hackers embedded malware that scraped memory on approximately 7,500 point-of-service terminals.
Not only did the malware receive data on the 56 million credit/debit cards, it also got hold of 53 million email addresses. It took five months for Home Depot to realize there was a breach, primarily due to insufficient monitoring capabilities. Even though the recent lawsuit is unrelated to this breach, it is obvious that Home Depot was seriously harmed by this incident and is now hyper-vigilant regarding security issues. The company does not want a repeat of this financial and public relations debacle.
Credit Card Companies’ Reactions
A representative from MasterCard responded to the Home Depot suit. MasterCard spokesman Seth Eisen said in a statement, “Regardless of how the cardholder’s identity is confirmed, the chip makes data much more secure, rendering it almost useless to create fraudulent cards or transactions.” A Visa spokesperson simply said the company was aware of the suit.
In its court filing, Home Depot stated both Visa and MasterCard “know perfectly well” that a signature alone – without a PIN – provides virtually no protection against various types of credit card fraud. However, this statement does not take into account the added protection against skimming; protection that comes whether customers authorize cards with PIN or signature.
The Monetary Problem According to Home Depot
The suit also accuses Visa and MasterCard of collusion with banks and each other. The results are “the highest rates of payment card fraud in the world, and United States businesses are subject to the highest payment card related fees in the world.”
Home Depot’s complaint alleges that the card companies have colluded to charge retailers higher fees. Signature transactions often cost more than PIN transactions.
Home Depot was one of the first nationwide retailers to improve its terminals to accept chip cards. It now claims retailers have no option regarding the PIN methods, because the issuing banks won’t move to such a system. Because these general purpose payments cards are in such wide use, businesses have no choice but to accept them to remain viable.
Are PINs the answer?
Home Depot’s suit alleges Visa and MasterCard are colluding to place obstacles in the realm of chip-and- PIN adoption to keep merchant fees high. While PINs make some transactions safer, they make shopping somewhat more complicated. There are customers who don’t want to memorize a PIN, which could put PIN cards at a disadvantage. There’s also no question that moving to PINs would cost issuers a tremendous amount of money.
Additionally, although a chip-and PIN card lowers the risk of onsite transaction fraud, it makes no difference in online and phone fraud. The rates of card-not-present fraud have risen in Europe since the introduction of chip technology, and experts have predicted that fraud rates would follow suit in the US.
Read more about PIN debit vs. signature debit.
Prayer for Relief
The lawsuit concludes with a “Prayer for Relief.”
Home Depot asked the court to declare that the defendants have committed the alleged violations of state and federal law. It further asks the court to award damages sustained by the company due to the defendants’ misconduct, with such an amount proved at trial. In accordance with antitrust law, that amount is trebled, along with the payment of interest and legal fees.
Visa and MasterCard Respond
In August 2016, Visa and MasterCard both denied Home Depot’s allegations, but did not provide much detail. Visa and MasterCard asked to dismiss the case, as is customary in initial comments. The card brands requested moving the case to a New York court and merging with another case. However, no decision has been made.