All Eyes On Card Security
Industry observers and executives with other processing companies predict that the recent supervisory letter on FIS security problems may have a limited impact on FIS’ sales but will likely heighten the importance of security for all payments processors.
NCUA forwarded a supervisory letter the FDIC and two other federal financial regulators sent to FIS outlining the results of a recent security examination and their concerns about the company's security operations and procedures.
“This will cause reputation concerns for FIS and their group service providers, but likely will be corrected by FIS and result in almost no short-term changes by their processing clients,” wrote Tim Kolk, founder of TRK Advisers, a card portfolio consultancy that helps credit unions improve their credit card performance. “Most of their clients are happy with their products and servicing, they have a good team in the field, and the lead time to making a switch is at least six months and more typically a year of analysis and conversion planning.”
Kolk and other observers cited a frequently long and complicated process to change credit and debit card processors as limiting the impact of the letter. “In the long term, it may make a difference here and there, but otherwise for credit union card issuers I expect tomorrow will look much like yesterday in the processing world,” Kolk added.
But others countered that the security concerns outlined in the letter are sufficiently grave that they will be enough to lead some CUs to leave the processing firm, pointing out that it's become more common for credit unions to consider other card processors routinely as part of their contract renegotiation process. For those credit unions in particular, especially if they already have issues with FIS, the concerns raised in the supervisory letter could lead them to switch, according to one processing specialist who declined to speak for the record, citing company policy.
Ondine Irving, founder of Card Analysis Solutions, a card portfolio consultant that specializes in helping credit unions improve their card portfolio performance, said a number of her client credit unions use FIS.
“I have had both existing FIS clients and those in the processor selection process asking my opinion on this matter,” Irving said. “My response to my clients is to request an answer or response directly from FIS or [Card Services for Credit Unions]. I am surprised FIS or CSCU has not addressed this publicly, given the large number of credit union clients they process for. Prior to this announcement, there has already been an increase in activity of credit unions seeking out all of their card processing options and being very aware of contract expiration dates. This may just add fuel to the fire as credit unions wait out their contracts,” she said. “I do believe those credit unions which may be on the verge of switching processors may be more apt to think twice about giving FIS their card processing business.”
CSCU, the association of credit unions that process their credit and debit card transactions with FIS, revealed that it has received inquiries from member credit unions about the letter but did not share how the association was answering them or advising CUs. In a letter to its 2,700 member credit unions, CSCU President Robert Hackney revealed that Greg Schaffer, FIS’ chief information security officer, would address the association's annual meeting held in St. Petersburg, Fla., this week.
“Please be assured, the CSCU board of directors, which is made up of nine credit union CEOs from across the country, consider information security a critical priority of the highest magnitude,” Hackney wrote in the letter, which the association added to its website. “As a credit union CEO, they, like you, want assurance their member’s data is secure and they bring that same level of concern as a CSCU director representing your interest as a member of CSCU. In addition, FIS senior management meets regularly with the CSCU board.”
Meanwhile, after initially signaling its support for FIS, CO-OP Financial Services, which partners with the processor in some joint agreements, an executive with the payments CUSO said it would also expect the processor to address the security problems.
FIS processes debit transactions for CO-OP and markets access to CO-OP's surcharge free ATMs to its clients.
Caroline Lane, senior vice president for business development for CO-OP, said the CUSO would accept FIS’ declarations for what it had been doing to correct the security concerns that were the subject of a supervisory letter but that the CUSO would also hold the company accountable for making those changes. She did not elaborate on what that accountability might include.
“I wouldn't say we would just take their word for it about what they are doing, that's sounds too soft,” Lane explained. “We will hold them accountable for following through.”
Lane joined with other processing executives, including Kimberly Hester, executive vice president, network services for CO-OP and Jeff Russell, CEO of TMG Financial Services and senior adviser to The Members' Group, in predicting that the FIS letter will result in highlighting the importance of security in evaluating processors. TMG Financial Services purchases CU card portfolios and issues cards in agent relationships with credit unions. The Members Group processes debit and credit card transactions for credit unions.
“This is something which has already been going on for some time,” Lane remarked, “at least we have been hearing about it since NCUA started putting more emphasis on evaluating vendor relationships,” Lane said. “I expect that this is only going to make security more important.”
Russell agreed and predicted that heightened concerns would last for some time, even through the advent of net technology which should make card data security easier to manage.
“The payments processing industry has spent an extraordinary amount of money and time protecting the 16 digit card number,” Russell observed, “and I don't see that changing any time soon. Even if chip cards come into wider usage, there will always be thieves looking for ways they can evade the technology and steal the data.”
NCUA Defends Forwarding Letter
Officials at the NCUA are defending their decision to forward a supervisory letter on FIS to credit unions, noting that it's routine for the agency to share materials from other regulators and observing that credit unions that process with FIS needed to read the letter.
“It is a longstanding inter-agency practice to share reports, in this case produced by one of the banking agencies, with clients of record,” said Larry Fazio, director of examination and insurance for the agency. “The Federal Deposit Insurance Corp., the Office of the Comptroller, and the Federal Reserve Bank have all released this report, like other vendor reports, to their regulated institutions. NCUA, like the other agencies, is providing the report information for the sole purpose of facilitating vendor due diligence.”
Sources familiar with the agency's actions said officials had considered forwarding the letter routine and argued that the agency risked leaving credit unions unwarned.
The sources, who spoke not for attribution, pointed out that the agency had little choice but to share the letter and would have had to bear some degree of responsibility had credit unions suffered losses from a risk that the agency was aware of but credit unions were not.
The sources also denied the rumor that the agency was trying to drive credit unions away from using FIS. They pointed out that the decision to change payment processors was large enough and complex enough that neither the agency nor credit unions would be served by large numbers of credit unions going through that process at the same time. Rather, the officials said the agency hoped that providing information to the credit unions would help bring market pressure on the processor to correct the security deficiencies as well as alert credit unions to the risk.