Payment processing firms that have been assisting retailer Target, which recently suffered a major data breach, could face millions of dollars in fines and costs due to the issue.
Target's partners could face consumer lawsuits and fines that payment networks such as Visa Inc and MasterCard Inc often levy after cyber security incidents, Reuters has reported.
Fines and settlement costs for individual companies would depend on how the ultimate liability for the breach is determined, according to Jamie Pole, a cyber security consultant in North Carolina.
Target would likely seek to add its partners as defendants to lawsuits already filed over the breach, Boston attorney Cynthia Larose of Mintz Levin told the news agency.
Reuters noted that a similar hacking in the mid-2000s at retailer TJX Companies resulted in penalties of $880,000 (£536,000, €644,000) for Fifth Third Bancorp of Ohio, which processed transactions for TJX.
Any electronic purchase from a store like Target involves several companies. They include the banks that issue credit or debit cards, the "merchant acquirer" who handles the payment for the store when the card is swiped and companies such as Visa and MasterCard who operate the networks through which payment request and confirmation are sent.
According to a research note by Robert W. Baird & Co analysts on 19 December, the merchant acquirer used by Target for credit and debit card transactions is Bank of America Merchant Services, a joint venture of Bank of America Corp and KKR & Co's First Data Corp.
The note also identified Vantiv Inc of Cincinnati as processing transactions for certain Target customers and Toronto's TD Bank Group as the issuer of Target-branded payment cards.
The American retailer discovered a major security breach in December 2013, when payment data from about 40 million credit and debit cards was stolen from Christmas shoppers at its stores over 19 days between 27 November and 15 December.
It has since been revealed that a further 70 million customer records with sensitive information such as names, telephone numbers and email addresses were also stolen.
Target has confirmed that cybercriminals used malware installed on Target's point-of-sale (PoS) cash register systems to siphon off the data.
In an open letter published in several US newspapers, Target's CEO Gregg Steinhafel has apologised for the data breach and vowed to cover all fraudulent charges arising from the breach.