4 Card Breach Don'ts: Reporter’s Notebook
The news arrived in a Thursday morning credit union text message announcing a $0 balance in my checking account.
After years of my writing about data breaches and card fraud, someone had stolen my debit card number and counterfeited my card.
The thieves used the counterfeit card in Northern California, hitting my account at an AutoZone, a Food Maxx, a Target and a Valero gas station for a little more than a day before I checked my online banking and reported their perfidy to my credit union. Their last transaction had overdrawn my account as well, so part of my negative balance included a $30.00 NSF fee.
My fury at the theft extended to every institution involved with the payment system whose failure had let this happen.
Any greedy retailer that had put profits over secure data needed to pay such a large fine. They deserved to pay such a large fine, they would wish they had paid for data security instead, I fumed.
AutoZone, Target, Food Maxx and Valero needed to share a fine for accepting a counterfeited card at their stores, I demanded.
My credit union, which checked weekly for fraud on my Washington-based transactions, didn’t notice a quick succession of payments in Northern California, even though I was clearly still in Washington. They should share in the blame, too.
Then I took a deep breath.
This, I decided, could be a good thing.
For years, I had blithely written about payment fraud without experiencing it. At least not in this raw way.
Like almost everyone else in America, I had received new debit or credit cards to replace compromised ones. Likewise, I had changed account payment settings from a closed card to a new one in numerous accounts. Inevitably, I always managed to forget one, so I got at least one late payment notice or fee.
But I had never had my card stolen and counterfeited.
Now I could write about the topic from the point of view of the wronged cardholder, and let credit unions know what the experience is like from the member’s point of view.
So here are four suggestions about what not to do with a member who has been a victim of card fraud.
First, if your credit union cannot get a replacement credit or debit card into a member’s hands in fewer than seven to 10 business days, fix or replace your reissue system.
This is the 21st Century. Your members, particularly your younger members, use their debit or credit card far more than they use cash. They will not understand nor accept your cutting them off from on-demand access to their funds for almost two weeks.
In addition, if you do offer overnight delivery of a new card, do not charge the member for it. Find a shipping partner, negotiate a good rate and then pay it. If your board of directors balks at the expense, remind them that in order for members to generate debit card interchange, they have to have your debit card in hand.
If the board still objects, point out many of your banking competitors already replace debit cards overnight. If that still doesn’t sway them, tell them charging members to get the credit union’s card more quickly so they can make the credit union more money is short-sighted. The credit union wants and needs members to use their debit cards, and should do everything it reasonably can to make that happen.
Second, promising to reimburse cardholders for stolen funds rings hollow if you do not do it in less than 10 working days. Members do not understand how a credit union, which is supposed to be on their side, cannot find a way to return stolen funds to their account in time to avoid incurring late fees or missed payments.
In addition, a member who has temporarily experienced a card fraud loss, and therefore cannot make an on-time loan payment, should not face a late payment fee.
Third, do not suggest to your members, particularly your long-term members, that restoring their funds is contingent upon a fraud investigation.
How could you treat a member, particularly one who has been with the credit union for years, as if they had potentially defrauded the credit union? Credit unions are supposed to know their members in deeper and more substantive ways than bankers claim to know their customers. Live up to that, at least up to $1,500.
Finally, remind your call center staffers that members who call in to report card fraud have had money stolen and are in need of assistance, not suspicion. Do not allow your employees to claim the credit union cannot provide a replacement card or restore the stolen funds because “we aren’t a big bank.”
That kind of sentiment only reminds the member your credit union is not a big bank, and suggests such institutions can do those things. Such claims give the appearance that credit union membership is worth very little.