<p>Visa and MasterCard, the two largest plastic card membership organizations, are both introducing the next generation of authentication software this year. That’s good news for online merchants who purchase the services because the services are expected to be an effective deterrent to plastic card fraud. But credit unions may be assuming significant additional liability when the merchants buy into the systems. Plastic card fraud can be brutal. Global plastic card fraud losses are over $1 billion a year and growing. Of this, fraud losses are disproportionately high over the Internet, (.25% on the Internet vs. .08% for all other), where transactions are in the form of cardholder-not-present (CNP) transactions. Online plastic card fraud will significantly increase as people become more comfortable buying online and as e-commerce expands. Keep in mind that criminal organizations exist for the sole purpose of perpetrating plastic card fraud, to the point where they operate their own “carder” Web sites and are even planning a convention! It obviously is important that consumers feel secure about using their plastic cards online. Cardholder authentication systems must continually be enhanced to deter fraudsters. Visa’s new authentication system, released in April, has already signed on numerous online merchants. MasterCard’s version is expected to be available this fall. Both services incorporate multiple-character fields designed to hold authentication data. In general terms, they work like this: The system has access to “non-wallet” information about buyers from credit bureau databases or from buyers themselves. At the point of sale, the buyer is asked to provide information that only the buyer would know. In seconds, the credit union or bank validates this information, thus deterring unauthorized card use. The attraction of the new Visa and MasterCard authentication systems to online merchants is easy to see. Under credit card merchant account agreements, the Internet merchant is 100% liable for fraudulent transactions-that is, the merchant must pay for the amount of the loss, as well as chargeback fees and fines. As e-commerce expands, the problem of fraud committed via CNP transactions is only expected to increase, but these systems are expected to be quite effective at deterring fraud. Million of Dollars of Exposure But, for credit unions, there is a critical downside to the new authentication services. When the merchant uses the service, the liability for plastic card fraud losses shifts away from the merchant and over to the card-issuing credit union that is a member of the Visa or MasterCard network. This creates a paradigm shift in financial exposure. Credit unions will now be assuming potentially millions of dollars of exposure they didn’t have before. Let’s look at a few examples of how events might play out. 1. A fraudster obtains a stolen debit card number from a carder Web site and makes $10,000 in purchases from online merchants. 2. A fraudster has a stolen debit card number, obtained by using a skimming device (a magnetic recorder), and makes $10,000 in online purchases before the fraud is detected in the cardholder’s monthly statement. 3. A hacker uses e-mail to implant a “Trojan Horse” program into the credit union’s online banking system. In minutes the invader can log into the system and download the card numbers and other personal information, such as passwords, of thousands of cardholders. The hacker then sells the information via a carder Web site and those card numbers are used to purchase goods online. The institution’s entire credit card database could be compromised. If the online merchants involved are not using the new authentication services, they bear the brunt of the loss. But suppose the merchants are using the authentication services outlined above. Now the liability for all these debit card losses becomes the credit unions’. Greater Need for Insurance What is the effect of the increasing plastic card fraud liability on a credit union’s need for insurance to cover this exposure? In a word, this coverage is now critical. A thorough evaluation of coverage is essential to ensure that the institution’s insurance protection is keeping up with the changing world of exposures. An insurance evaluation should consider the following things: Plastic card fraud should be an included coverage. The insurer should be financially strong enough to pay its claims obligations. Financial strength and claims-paying ability are indicated in the ratings assigned by Standard & Poor’s and A.M. Best Company, respectively. The insurer should have a solid reputation for handling claims. In other words, the insurer should embrace a philosophy toward paying claims that calls for fair and equitable treatment of customers. A broker is usually an excellent source for this knowledge. The insurer should be able to make loss prevention services available to its customers. Such services may include an internal control audit, interviews with senior management and cardholder department staff, security system strengths and weaknesses, and so on. It’s frightening to think that day and night professional fraudsters are working on new ways to defraud plastic card issuers and cardholders. But just as techniques for battling these criminals advance, so can liability exposure change, and the potential losses resulting from fraud can be large enough to cripple a credit union. As your credit union considers its protection options, it should not overlook the need to evaluate its insurance coverage.</p>