3 Ways to Cut Card Losses
Despite an increasing number of large card data breaches, risk control experts and credit union executives say there are things credit unions can begin to do today to limit losses from card data fraud.
Ann Davidson, senior risk management consultant for CUNA Mutual Group in Madison, Wis., and Carlton Howard, vice president of risk management at the $2.2 billion Coastal Federal Credit Union in Raleigh, N.C., urged credit unions to not let themselves become paralyzed into vulnerability.
The two provided three tips to minimize the costs of card fraud:
Davidson said first look to staff, educating them overall about their card programs and the layers of security that could prevent fraudulent transactions.
“Just as no two credit union credit or debit card programs are alike,” Davidson said, “no two card fraud prevention programs are alike. But all programs share a few things in common, and making sure that everyone at the credit union understands the card program is a good first step.”
Davidson explained that since the Target breach, she has still encountered credit union employees who expressed confidence their credit union’s debit card program is safe because thieves had not been able to capture the cards’ PIN data.
“Of course that’s wrong,” Davidson said, “If both tracks of card data have been compromised, the card is at risk of being counterfeited.”
She added such statements show credit unions needed to do a better job of educating their employees and members about card fraud.
Howard, who has more than 30 years’ experience fighting fraud at Coastal, also said as credit unions educate employees about their card programs and the fraud risk, they should also designate who will be responsible for tracking fraud and accepting accountability for it.
“You almost need someone with a heart for fighting fraud,” he said, adding the person should be accountable for fraud tracking, from month to month, quarter to quarter and year to year, so the problem is always well understood and controlled.
2. Anti-Fraud Toolkits
The second part of a strong anti-fraud strategy, Davidson said, is building a robust anti-fraud toolkit.
Common strategies might include getting to know the credit union’s card processor and security vendor, and the neural network they use, to become completely familiar with the tool’s capabilities.
While stressing not all of Coastal’s tools or strategies might fit every credit union, Howard agreed with Davidson about the role a good neural network can play in fraud protection.
Coastal experienced roughly $25,000 in PIN debit fraud in 2013, down from 2012; $128,000 in signature debit fraud, also down from 2012; and, $174,000 in credit card fraud, which was up a bit from 2012.
Coastal’s card portfolio includes at least 90,000 debit cards and 24,000 credit card accounts worth $82 million.
“Sometimes we change the parameter of our neural network weekly,” Howard said, “depending on what we see as a fraud threat that week. People don’t realize it, but a breach happens every day – every day you can get alerts about compromised cards. Now most of the time, it may only be three or five or 10 cards, but you have to be able to work with your fraud prevention partner on short notice.”
Howard said they focus on proactively tracking fraud, including keeping up with blogs such as Krebs on Security and data-tracking websites.
“We found out about the Target breach by reading it on Krebs,” Howard said, adding that the early warning allowed Coastal to identify the roughly 14,000 debit card holders who had shopped at Target during the breach period.
“We take a pretty conservative course so we decided to block all those cards,” Howard explained, but added Coastal had been conscious of the holidays and chose to block the cards on Jan. 6, unless card costs topped $40,000 before that date.
“We figured we might take a bit more fraud losses by holding off [the block] for as long as we did, but we also knew that this time of year our members were going to be shopping like crazy and traveling like crazy, and the last thing anyone needs to happen is for a card to suddenly stop working.”
He added, “Our policy is that every member who has had a card compromised will have a new card in their hand before we block the old one, whenever possible,” Howard said.
He also said he hoped to conduct a test later this year to determine whether reissuing and blocking is necessarily the best policy all the time. In the BJ’s breach in 2004, for example, Howard reported that Coastal took $40,000 in fraud losses but spent $80,000 on reissuing and blocking cards.
Howard acknowledged that Coastal was always making a slightly different calculation of risk versus reward when confronted with a decision about whether to close and reissue, and he said much of the decision depended on what sort of breach the credit union was facing.
If card PINs have been compromised, for example, he said Coastal is more likely to block and reissue cards, because compromised PINs used at ATMs could cost the credit union a lot of money in a very short period of time.
The tool Coastal used to find out which debit card holders had shopped at Target is called CO-OP Revelation and was provided by debit processor CO-OP Financial Services. Howard stressed that other processors have the same or similar program available.
“It’s very useful to help us plan the placement of branches or ATMs, for example,” Howard said, “because we can tell where our members are shopping and plan accordingly.”
Finding out about a breach as soon as possible also helps Coastal get cards more quickly into the hands of members if it decides to block and reissue, Howard noted, pointing out that there is often a big draw on card plastics after a breach, and it’s good to get your orders in first.
He also reported that Coastal keeps a supply of plastics on hand at its fulfillment partner so that it would be able to re-issue efficiently if needed.
3. Member Involvement
As a final suggestion, both Davidson and Howard urged credit unions to get their members involved in preventing fraud. The two pointed out there are a number of strong anti-fraud measures available, such as setting daily spending limits or transaction limits; like transaction monitoring, members must opt-in for the services.
Davidson has a daily spend limit on her card, for example, and she said she can change it when she anticipates making a large purchase or traveling. Howard said he also uses a similar alert.
“Our members love our transaction verification calls,” he explained. “When we make them they know we are protecting them and their money and they are very grateful.”