Target has announced that it has reached a settlement deal with Visa in respect of the US litigation arising out of its data breach which occurred in 2013 and exposed an estimated 40 million credit and debit cards. The settlement will see payment made to Visa card issuers for the losses incurred, as well as to Visa itself.
The losses relate to replacing the lost cards of individuals subject of the breach (and all costs associated with that). There is unlikely to have been any direct contractual relationship between Visa and Target. As per standard practice, PCI DSS obligations will have been passed down the contractual chain, however, we presume that Visa is acting as representatives of the Visa acquiring banks and taking forward the action against Target.
The value of the settlement has yet to be confirmed but The Wall Street Journal has estimated it as up to $67 million.
If the settlement goes ahead, Visa and its card issuers will be removed from the continuing litigation. However, back in May 2015, a similar deal with MasterCard for $19 million was rejected at the last minute due to lack of support from MasterCard card issuers.
For the Reuters news article on this story please click here
What action could be taken to manage risks that may arise from this development?
None - for interest.