Credit Unions Gear Up to Face Latest Card Security Breach; Watch and Wait Attitude
ARLINGTON, Va. -- More credit unions appear to be watching and monitoring card accounts that have been reported as compromised in the latest major retailer card breach, rather than quickly closing card accounts and reissuing plastic.
Last week The TJX Companies, parent firm of retail chains in the U.S., Canada and the United Kingdom, revealed that it was the victim of a card data security breach that may have compromised a potentially large number of card accounts. The company has yet to reveal a final figure, but estimates have ranged into the hundreds of thousands of cards and some as high as millions of card accounts.
Visa, MasterCard, American Express and Discover cards were all included in the breach, the retailer said. The company did not indicate that any of its processing firms were involved in the data theft, which it said took place at its headquarters.
News of the breach spread through the credit union industry on the waves of compromised account alerts that began to flow from card brands to the issuers last week and CUs began to consider what to do with card accounts that have been compromised, but have yet to see any fraudulent activity.
In previous card data breaches many CUs almost automatically closed compromised accounts and reissued cards, incurring huge costs, judging that the prudent course was to protect the member and the credit union from any possibility of fraud. But as the cost of closing card accounts and reissuing plastics continued to rise, and with CUNA Mutual raising rates and deductibles, more credit unions are taking a reserved attitude toward the issue. "I definitely think that credit unions are not as shocked that this has happened and I think there is more familiarity with events like this," said Karen Fry, vice president of marketing for Card Services for Credit Unions, the association of credit unions that process their cards with Fidelity National Information Systems. "There is more awareness now that they might not have to close and reissue all the accounts that have been named as possibly compromised."
Like other card security experts, CSCU is advising credit unions to monitor the potentially compromised card accounts closely, making use of neural network fraud protection programs such as Falcon to keep an eye on the accounts, but not to close them immediately.
A big part of the watch and wait reasoning is based on how much information from each card account appears to have been compromised in the breach. The more data exposed, the higher the risk of fraud, the experts say. And among the most sensitive data, experts say, is the information included on the so-called track 2 data, which includes encrypted personal identification numbers. According to a notice CSCU sent out to its members, track 2 data was exposed in the breach.
But in the case of the risk of PIN-based card fraud, CSCU reminded credit unions that the risk might not be as severe with this breach as with others because the breach did not involve the retailer's processor.
"It is important to note that the PIN offset value is an encrypted representation of the clear PIN," CSCU wrote. "This value is not the actual clear PIN, but rather an encrypted block of data that can only be of value when decrypted. Decryption can only occur if the Issuer Key was present. As standard operating procedure, the Issuer Key is always stored with the Issuer Processor. With this recent event, the Issuer Key was not compromised, because the compromise took place at the merchant, not the Issuer Processor, and thus Clear PINS are not subject to this compromise event."
Still, with the track 2 data compromised, the event still exposed card accounts to significant risk that CUNA Mutual urged credit unions to evaluate carefully when deciding to reissue or not.
"Our guidance remains the same now as it has been," said Brian Fisher, senior risk manager for CUNA Mutual. "If a high level of data is exposed and if there are indications that there has been fraud on the accounts, go ahead and close them." Fraud Not Widespread Yet
But Merry Pateuk, spokesman for PSCU Financial Services, indicated that the card servicing cooperative had been seeing relatively little fraud on the compromised accounts. While some credit unions have adopted a more wait and see approach, the tack of closing and reissuing quickly has been taking place. In Rochester, N.Y., The Summit Federal Credit Union ($358 million) has already announced that it will reissue cards to members affected by the breach, according to a brief account in the Rochester Democrat and Chronicle.
One different factor in the decision to close or not close the accounts has been the additional levels of institutional support credit unions with compromised card accounts have available to them, the experts said. Falcon has created a way of assigning a special code for each breach, which can be attached to a compromised account number and then taken into account when it makes risk evaluations, for example. Visa has also taken steps to streamline the process by which a credit union can get at least partially reimbursed for the costs of closing and reissuing an account in the case of fraud. These changes help reassure credit unions that their exposure to fraud is being narrowed and, should fraud occur, recouping some of their losses will be more easily accomplished. Meanwhile the TJX breach will likely serve to fuel a fire over data security, which had died down after last year's breaches. Jeff Post, CEO of CUNA Mutual, was quoted in the Wall Street Journal's coverage of the card breach, calling for the data security situation to be corrected before it undermined consumer confidence in the entire electronic payments system.
"The parties responsible for security breaches need to be held accountable," Post was quoted as saying in the Journal. "The situation will not fix itself. It must be reversed quickly. Otherwise the entire plastic card payment system could be undermined."
The breach caused CUNA to reemphasize the issue in its lobbying effort. CUNA is already on record as supporting legislation that will ensure card data is suitably protected and that firms act responsibly if there are data breaches.
The legislation CUNA favors would prohibit merchants or their agents, such as processors, from storing personal and financial information in connection with credit or debit card transactions. It would also require that companies provide useful and timely notice to financial institutions when breaches occur and that they must reimburse the card issuers for losses suffered in the breach.
But Barney Frank (D-Mass), the new Chairman of the House Committee on Financial Services, did not commit to any legislative initiative in the wake of the breach.
"I learned of the latest data breach from a financial institution that may have to bear the costs of informing customers and issuing new credit cards but they were not told why," Frank said. "This is further evidence of the need for a provision that Democrats pushed for in last year's debate over data security. Mainly, those institutions where breaches have occurred must be identified and they must bear responsibility. Specifically, this means retailers or wholesalers must take responsibility, contrary to what common practice is today."
Frank did not reveal any plans to revive last year's Democratic approach to the problem or any timetable for the Committee to return to the issue. --firstname.lastname@example.org