Credit card lenders could be facing more than $300 million of card replacement costs if customers affected by the Sony Corp data breach decide to replace their credit cards.
Continue Reading Below
Analysts have previously estimated that the incident could cost Sony more than $1.5 billion, but this is the first time they have put a price tag on how much major lenders will also suffer.
"It's not insignificant," Sanjay Sakhrani, analyst at Keefe, Bruyette & Woods, told Reuters at the sidelines of a payments industry conference in Miami Beach on Wednesday evening.
Each customer request to replace a credit card would cost lenders about $3 to $5 per card, several analysts told Reuters on Wednesday and Thursday. Those costs would include the new piece of plastic itself, postage, and various customer service costs.
Hackers earlier in April broke into Sony's PlayStation Network, stealing names, addresses and possibly credit card details from 77 million users. Sony shut down the network on April 19 but waited about a week to disclose that the system had been hacked and users' data could have been stolen.
INTO THE CLOUD
Credit card lenders could also lose business from the customers affected by the breach, even if they were quick to replace the cards. New cards take time to be activated, and in the meantime consumers could use a different card, said Aite Group analyst Julie Conroy McNelley in an email to Reuters on Thursday.
Consumers may also be reluctant to use a card that they perceive as higher risk because it might have been involved in a hacking episode, even if the breach of security was not the issuer's fault, Conroy McNelley said.
By some measures, $300 million is a relatively small amount for the credit card industry. U.S. credit card banks that issue Visa cards and MasterCards made about $2.12 billion in after-tax profit in 2010, according to the industry publication PaymentsSource.
That figure excludes American Express Co and Discover Financial Services, which both lend directly to consumers and process the transactions on those cards themselves.
The Sony breach was one of the biggest online data infiltrations ever and is a sign that the industry may face new threats.
"As we move into the digital world, we put more and more of our digital identity into the cloud, or digital devices ... Security is going to be a tremendously important part of what we do," Daniel Schulman, American Express group president of enterprise growth, told Reuters at the sidelines of the annual conference, hosted by PaymentsSource publisher SourceMedia.
A FACT OF LIFE
Schulman and other credit card executives speaking at the conference declined to comment directly on the breach or the implications for their security standards, but they said there generally is increased attention being paid to protecting customer data.
Global credit card security standards are increasingly necessary as payment technology evolves, MasterCard Chief Emerging Payments Officer Ed McLaughlin told Reuters.
Payments security is evolving along with "intelligent devices," like smartphones and contactless cards, he said.
Upgrading certain security standards -- for example, adopting chip-and-pin credit cards, which are widely used outside the United States -- also depends on merchants, who typically only upgrade their terminals every five to seven years, he said.
"Security breaches happen, they're going to continue to happen ... the mission of the banking industry is to keep the customer base safe and customers feeling secure about their financial transactions and payments," he told Reuters in an interview.
Citigroup spends "a tremendous amount of money on security. We take it very, very seriously -- I don't know that there's a way we could take it more seriously," he said.
JPMorgan Chase & Co said in a statement it is aware of the Sony situation and is working with Visa and Mastercard to understand if there is any impact on its customers. It declined to speculate on the potential cost of customers replacing cards.
Bank of America Corp, Capital One Financial Corp, and Discover were not immediately available for comment.