Another large data breach, affecting consumers’ debit and credit card numbers, will not cost consumers or merchants – but will be costly to credit unions and other financial institutions, the Credit Union National Association (CUNA) has pointed out to key senators sponsoring a delay in interchange fee caps rules.

CUNA President and CEO Bill Cheney told Sens. Jon Tester (D-Mont.) and Bob Corker (R-Tenn.) that the recent data breach at Michaels (a crafts store) will cause consumers to contact their credit unions and other financial institutions to cancel and then issue new debit and credit cards. Cheney noted the financials will do so at no charge to their members and customers.

“However, there is a cost to taking this action – and it is borne by the card issuer, not by Michaels, Sony or any other merchant whose negligence leads to a data breach,” Cheney wrote. “What makes it possible for card issuers to cover this cost – as well as the cost of any fraudulent transactions which may occur as a result of the breach – is the interchange revenue merchants pay card issuers as their fair share of the cost of the payments system.”

Cheney wrote that CUNA appreciates that the senators have introduced legislation to delay the implementation of the rules that would cap interchange fees. (The Tester-Corker legislation would delay the rules for up to two years so that the impact of the interchange law on financial institutions could be thoroughly studied.)

“If Congress fails to act and the debit interchange regulation is allowed to be implemented, credit unions across the country will be forced to bear even more of the cost of merchant data breaches while the merchants responsible for the breaches not only continue to escape responsibility for their data breaches but also receive a windfall thanks to government price controls,” Cheney wrote.

“In the end, consumers lose if the proposed rule goes into effect,” he added.

The complete text of Cheney’s letter to the senators follows:

- - - - - - - - - - - - -

May 12, 2011

The Honorable Jon Tester
United States Senate
Washington, DC 20510

The Honorable Bob Corker
United States Senate
Washington, DC 20510

Dear Senators Tester and Corker:

In April, I wrote to you regarding the data breach at Sony which compromised the personal data – including debit and credit card numbers – of over 100 million consumers.  Sadly, this week, another major merchant data breach was announced when Michaels, a big-box craft store, notified its customers that their credit and debit card data could have been compromised in a breach that occurred in Illinois and 19 other states.

Michaels customers were advised to contact their credit union or bank as a result of this merchant breach.  When they do so, the customer is likely to find that their credit union or bank will cancel the compromised card and reissue a new card at no cost to the consumer.  However, there is a cost to taking this action – and it is borne by the card issuer, not by Michaels, Sony or any other merchant whose negligence leads to a data breach.  What makes it possible for card issuers to cover this cost – as well as the cost of any fraudulent transactions which may occur as a result of the breach – is the interchange revenue merchants pay card issuers as their fair share of the cost of the payments system.

We appreciate your continued support for legislation (S. 575) to delay the implementation of Section 1075 of the Dodd-Frank Act.  Based on the Federal Reserve Board’s proposed debit interchange rule, it is clear that the small issuer exemption provided by Congress will not work and that credit unions and small banks will be affected by the regulation in a manner that Congress did not intend.  If Congress fails to act and the debit interchange regulation is allowed to be implemented, credit unions across the country will be forced to bear even more of the cost of merchant data breaches while the merchants responsible for the breaches not only continue to escape responsibility for their data breaches but also receive a windfall thanks to government price controls.  In the end, consumers lose if the proposed rule goes into effect:  they will face new or additional fees to use their debit cards and their personal data will continue to be lost by merchants who bear no responsibility to reimburse those impacted by their data breaches.

The two-year delay proposed by your legislation will provide time to study the impact of Section 1075 on consumers, debit card issuers and merchants, and for Congress to address potential changes to the law as a result of this study.  On behalf of America’s credit unions and the 93 million members, thank you for your support of S. 575.  We encourage the Senate to pass this legislation as soon as possible.

Best regards,

Bill Cheney
President & CEO
Credit Union Natl. Assn. (CUNA)
Washington, DC