Rise in Retail Breaches Transforms Response
For credit unions, the key question is how best to respond. Know, too, that best practices have been in flux since the Target breach mainly due to the plethora of other breaches that have also occurred.
The reason for that flux may be cost. In February, CUNA estimated that the Target breach alone had cost credit unions $30.6 million, with much of that money spent on card reissuance at a cost per card of a few dollars up to $50 for cards overnighted to members.
“All the expenses in these breaches go to the issuers like us. The retailers have no skin in this game,” Melanie Vest, an EVP at the $732 million DATCU Credit Union in Denton, Texas, said. That costly reality is what has triggered a big rethink and today's advice is this: “You no longer can reissue every card,” Karen Postma, client services director at payments processor The Members Group in Des Moines, Iowa, said. “Don't take a kneejerk reaction. You have to be particular about why you choose to reissue a card.”
Georgann Smith, vice president of marketing at TMG, said at least with the Home Depot breach, reissuance was down in part because there is a significantly lower volume of concerned member calls coming in. Nobody knows why but there might be a suspicion that consumers are suffering from “breach fatigue.” But, either way, lately, financial institutions are under less pressure from anxious consumers to reissue.
There are ways to mitigate against the fraud potential associated with a specific card and, in other cases, reissuance may be the only real option. However, across the credit card risk universe, some experts have said the era of mass reissuance is coming to an end.
After Target, what many financial institutions did was a quick search for cards that had been used at the retailer in the period the breach was ongoing. Those cards often were cancelled and new ones issued. Because this happened during last year's holiday season, some credit unions overnighted the replacement cards to members. At the time, that reaction was applauded. No anymore, Postma said.
Vest agreed: “We are approaching this differently from a couple years ago when we reissued on every breach. Now, there are breaches every day.”
Steve Ruwe, chief risk officer at PSCU, the St. Petersburg, Fla.-based payment services CUSO, said, “Reissuing tens of thousands of cards is not the best investment for a credit union.”
How, then, does a credit union defend itself against the fraudsters who feed on stolen credit card numbers? Industry insiders offered tactics that, increasingly, are helping institutions anticipate and block fraud before it happens.
Read more: Don't wait for card network alerts ...
Stan Hollen, president/CEO of CO-OP Financial Services in Rancho Cucamonga, Calif., said swift action is key and to delay is to invite more fraud. Case in point: The large card networks of MasterCard, Visa, Discover and American Express. All issue alerts that highlight card numbers that may have been involved in a breach. Hollen's advice was do not wait to receive the alerts, which may be delayed a week or more after a breach is reported.
“Use analytics to look for cards that might be involved,” Hollen suggested. “Get out in front of fraud. Be on real time.”
Another key is to enlist member help, Smith said.
“Credit unions need to continue to educate cardholders, encouraging them to monitor their accounts.”
The idea is that members may spot fraud that computers did not recognize as such and thus, an alert member can help a credit union short circuit fraudulent use of a card days before the institution itself recognized there was a problem.
Some credit unions had been reticent about discussing fraud with their members but that, too, is changing.
“We are seeing a lot more communication by credit unions with members,” Postma said. Still, more proactive work needs to be done. “Look for patterns of fraud,” she advised.
Vest elaborated that, frequently, criminals will use stolen credit card numbers to buy gift cards at a large grocer – a $50 iTunes gift card is about as good as cash. That's a well-known fraud pattern. But at DATCU, if the credit union sees a particular card used, say, three times in a short period of time at a location known to sell gift cards, that may be ample trigger to shut that card down, according to Vest.
By continuing to analyze patterns, credit unions can potentially get ahead of the criminals. In the Home Depot fraud, for instance, Postma said there appeared to be a high volume of attempted PIN resets on stolen debit cards. If credit unions are aware of this type of pattern, they can proactively tighten the procedure for a PIN reset, making it harder for a criminal to con a customer service employee.
Another step is putting tighter restrictions on cards, Postma advised. That may mean lowering daily spending limits on debit cards, for instance.
Obviously, once a stolen card number is involved in proven fraud, reissuance is the only cure. Ditto for cards that are located in areas with especially active criminal gangs. Those cards may be reissued before there is fraud, simply because the odds say criminal activity is likely to occur.
In many other cases, the best strategy is to stay alert and use fraud analytics software tools offered by vendors.
Vest summed up the crux of a savvy credit union response: “You try to outsmart the fraudsters. They have the advantage but you try to outthink them and we are getting better at doing that.”