It appears that Wendy’s may be the most recent company to get their point of sale system hacked and have customer credit card data compromised.
At this point, Wendy’s has ONLY said that it is currently investigating reports of unusual activity involving payment cards used at some of its locations.
BUT, if it quacks like a credit card breach, it likely is a credit card breach.
What they probably don’t know yet is how big it is.
Now here is the test case.
Last November, the payment card industry had a liability shift. For companies that have not installed chip capable point of sale systems and if customers have chip credit cards, the merchant is now liable for the cost of the breach. That not only means the charges that have to be refunded to the customer, but also the cost of investigating it, the cost of reissuing the card and all other costs. The banks designed this to be very painful to merchants who do not upgrade the point of sale systems.
A couple of years ago Wendy’s current VP and treasurer Gavin Waugh said that their fraud rate was so low that paying the fraud liability is a whole lot cheaper than putting in [EMV] terminals.
IF, and this is a big if, it turns out that the unusual activity is a breach and again IF the number of cards compromised is large and IF Wendy’s has not installed chip readers in their POS terminals and IF the customers had chip based cards — notice that is a lot of IFs — then Wendy’s may need to reconsider whether paying the fraud liability is cheaper than those new terminals.
Some totally made up, but actually somewhat conservative numbers.
If there was a breach and it affected 1 million cards (that would be 1/40th the size of the Target breach, so, in the grand scheme of things, maybe a conservative number) and if the cost per card, on average, of the losses to the credit card companies was $250 – some more, some less – then Wendy’s could be on the hook for $250 million.
Granted there are a lot of ifs here, but we will eventually find out more answers and if it was a big breach, the $250 million could be on the low end of the scale. 10 million cards @ $100 each is a billion dollars.
SO, we shall see if Wendy’s is a test case and if so, how big the breach is. Gavin may need to reconsider that statement.
And, for other merchants that have not upgraded their terminals consider this. If you have a breach and it only costs you a couple of million dollars, what is the impact on your business?