SAN FRANCISCO -- For many in the credit union industry, particularly if they worked with electronic payments generally and cards in particular, 2006 may go down in memory as the year card security really arrived as an issue that overhung the whole industry. In many ways the year began much as 2005 ended. Large data security breaches, such as the one at Cardsystems or major retailers continued to occur. Fraud alert messages continued to flow from Visa and MasterCard. Credit unions remained faced with the inconvenient and expensive decision of whether to close accounts and reissue accounts, which may have been compromised in the breaches, or not.
But 2006 also brought ripples in the issue as well. Awakening to the problem with the public and their issuers, the major card brands announced initiatives designed to bring more of the major retailers into compliance with the security protocols the retailers had flaunted. Also, CUNA Mutual Group, the insurer for the majority of CU card programs, announced that its losses in cards had grown unacceptable and that CUs had to make security their highest card priority or face the prospect of possibly not having any card insurance going forward.
Many credit unions welcomed the focus on security in their own shops. Now, at least, they had a way they could fight back against a problem that seemed removed from their daily operations and impossible to control--until they finally got hit with the costs of a breach. Others questioned whether the increased trouble and expense of providing card security would drive them out of the card issuing business, though card brokers reported that few if any CUs reported selling their card portfolios because of security concerns. But everyone had to start auditing how they conducted their card business, and for many the audits were an eye-opening experience. Auditors surprised many by finding the first widespread weakness in many CUs' debit card programs, and particularly in point of sale transactions which were considered by many to be among the safest since cardholders validate many of these with a personal identification number. Auditors found weaknesses first in the fact that many of the card security breaches that involved hackers had been able to get far more information from the pilfered accounts than had been available previously. The second weakness was that many CUs had never bothered to turn the additional Card Verification Value 2 check on when validating their debit card transactions. So called CVV2 transactions ask a cardholder to input a three or four digit number that is on the back of their card (Visa and MasterCard) or on the front (American Express) to validate that they actually have the card and that the number is correct.
Because so many CUs had their CVV2 verification turned off, they were sitting ducks for thieves that used data gained in card breaches to fraudulently use their members' debit cards. And when many CUs found that they were not checking their CVV2 values, and told their processors to start checking them, some had to follow up to make sure that the processor was denying charges that came through with a CVV value that failed.
But the good news is that by taking the security question to task, card program by card program, the industry will be able to bring the card loss problem under control, according to executives like Steve Ruwe, the new chief risk officer for PSCU Financial Services. Ruwe joined other industry analysts in pointing out that, overall, card losses remain relatively low and that credit unions will be able to manage the program.
Phil Tschudy, spokesman for CUNA Mutual, said the insurer views the industry as beginning to make progress in the fight against card losses, but not being out of the woods yet. He reported that the insurer estimates this year's card losses will come in at $110 million, or about $10 million less than it had first estimated, and that the insurer is optimistic that changes put into place this year will continue to ripple out and bring positive results next year and into 2008. --email@example.com