Many of the 40 million consumers who swiped plastic in Target stores during the retailer’s recent security breach are likely considering canceling those credit or debit cards, but the choice might not be theirs to make.
Several local banks and credit unions are automatically issuing new cards to any customers or members who swiped a card at Target Corp. stores from Nov. 27 to Dec. 15, the period when hackers hijacked the retail giant’s payment systems and stole millions of card numbers, expiration dates and security codes. Online purchases were not affected.
Baltimore-based 1st Mariner Bank notified affected consumers in a letter this week that their card numbers “may have been exposed to an unauthorized party … because a merchant or processor did not have the proper security features in place.”
1st Mariner plans to send new Visa Check Cards “within 20 business days” from Monday, when the letter was dated. The bank is also sending new PINs, in a separate envelope, according to the letter.
As a further precaution, several institutions are also imposing temporary limits on ATM withdrawals or purchases for customers potentially affected by the breach.
1st Mariner set a $500 limit for purchases that require a signature but don’t require a PIN, and last week, national giant JPMorgan Chase & Co. made headlines for capping daily cash withdrawals at $100, compared with the usual $200 to $500. Chase also limited daily purchases to $300, although the company loosened those restrictions earlier this week.
It’s not immediately clear how many Marylanders will automatically receive new cards.
Banks and credit unions learned which of their customers were at risk from the Target breach because credit card companies provided lists of people who used their cards during the 19-day window. None of the bank representatives interviewed for this article would disclose how many of their customers were affected.
It’s also unclear what the cost will be to send new cards en masse. Consumers are not being charged for reissued cards.
Kathleen Murphy, president and CEO of the Maryland Bankers Association, said she’s not sure how many total customers are served by MBA’s 85 member banks or how many were affected by the breach.
Murphy said each new card typically costs at least a dollar to produce. Doug Johnson, vice president for risk management policy at the American Bankers Association, said the cost could be even higher, depending on whether costs such as extra labor are factored in.
Some Maryland banking institutions, such as APL Federal Credit Union in Howard County, are reissuing both credit and debit cards, but others are sending only new debit cards. Others opted not to reissue any cards automatically but to beef up their account-monitoring technologies and address each customer’s account on a case-by-case basis. Those banks, including Bank of America Corp., will send new cards to consumers whose accounts are flagged for suspicious activity.
Some are still undecided, such as MECU of Baltimore Inc., a credit union for city employees. Spokeswoman Dorothea Stierhoff said MECU hasn’t reissued cards yet but that it’s still “a definite possibility.”
“Each institution is going to make their own decision on reissuing cards,” said Johnson at the American Bankers Association. “If a bank has a small number of consumers who were affected, it might choose to just reissue the cards because obviously it would be less expensive.
“But on the other hand, an institution that has a large number of customers affected could decide they don’t want to do all that extra [account] monitoring, so they’ll go ahead and just send out new cards.”
Some bankers say the cost of reissuing cards is insignificant compared to the inconvenience doing so would cause customers.
“Typically, it’s a minimal cost to issue the cards, but the inconvenience for the customer is substantial,” said Fred Solomon, a spokesman for Pittsburgh-based PNC Bank. “People often have their cards linked to other accounts to make automatic payments.”
Susquehanna Bancshares Inc., of Lititz, Pa., would rather its customers be safe than sorry. It’s one of the banks opting to automatically reissue affected debit cards — the bank’s standard procedure when dealing with a security breach, said spokesman Stephen Trapnell.
“We just do it to help protect customers,” Trapnell said. “We understand that just because there was a breach doesn’t necessarily mean there will be fraud, but we want to act proactively. Larger breaches like this one tend to get more attention, but unfortunately, these things do happen on a somewhat regular basis.”
Consumers who used credit cards during Target’s breach are not as likely to automatically receive new ones as are debit cardholders. That’s because hacked debit cards can pose a greater short-term risk to the consumer, Johnson said.
Debit cards are linked directly to consumers’ checking accounts, so if a consumer is not vigilant about monitoring, a hacker could quickly deplete the balance, he said.
“With debit cardholders, they could end up with insufficient funds for a purchase they’re trying to make,” Johnson said. “But with credit, you can refute the charge before you pay it.”
In the long term, though, Johnson said consumers won’t be liable for any fraudulent charges. regardless of what kind of card was stolen from them. Both debit and credit cards come with protections that ensure the consumer won’t be held liable for purchases they did not make, he said.