FAIRFAX, Va. -- Shaping up and shaking down credit union cardprograms to better protect them from fraud means paying attentionto a seeming universe of details--and not taking anything forgranted.

"You laugh now, but I could tell you stories about what I havefound on card visits that would just shock you," Joni Lovingood, asenior risk management specialist with CUNA Mutual told roughly 80credit union card executives who had traveled through rainy rushhour traffic to learn how to better manage their card security."Sometimes it's the things that seem so obvious that are really notobvious at all," she added.

Lovingood appeared in the meeting room of a Fairfax, Virginia,hotel as part of PSCU's Security Summit 2006, a daylong seminarthat lead card processing CUSO PSCU puts on every year at differentplaces around the country. This year, according to PSCU, roughly500 CU card executives have taken part in the seminars around thecountry.

Much of the energy and increased interest in the topic hasflowed from the card security crises which has gripped the creditunion industry in the past two years as hackers have stoleninformation from retailers that the retailers were never expectedto store and as thieves have found ways to bypass long-standingsecurity measures which were considered almost impenetrable foryears.

The summit addressed both changes that PSCU has begun toimplement at its level and different tactics credit unions couldand must adapt in their own operations to reduce their ownrisk--and the higher premiums for card fraud insurance that mighthave been assessed by CUNA Mutual Group.

PSCU's changes were outlined by Kent Potterton, PSCU's directorof credit services who stood in for PSCU CEO David Serlo who wascalled away on a family matter. Chief among these include offeringto take on more of the day-to-day burden of helping credit unionsmanage their card programs and hiring a leading industry securityexecutive from Visa USA to chart the organization's securitycourse.

The procedures, which PSCU will offer to take on for creditunions, include the 24/7 monitoring of fraud alerts. Falcon, a FairIsaac service, or Visa Advanced Authorization, a Visa service, eachprovide continuous fraud monitoring which identifies potentiallyfraudulent transactions and transmits them to analysts at thecredit union or its processor.

CUNA Mutual has required credit unions have neural networks inplace as a condition of their retaining card coverage, and PSCU hassecured agreement from the insurer to allow it to put a softwareprogram in place instead of human analysts in early morning hours.But Potterton announced that PSCU has decided to put human analystsinto place 24/7 and to offer their services to their credit unions.The CUSO will also move more of the analysis of CU fraud datain-house and is working with Visa to get copies of potentiallycompromised card accounts sent both to its own analysts as well asthe CU.

"These are all numbers we have anyway so we have suggested toVisa that they should also alert us to potential fraudcompromises," Potterton said, adding that PSCU hoped to have thepaperwork in place to allow information sharing as early as thefourth quarter of 2006.

PSCU will also take steps to bring more of the fraud recoveryprocess in-house as well, taking that time-consuming chore awayfrom member CUs. PSCU has not yet decided whether or how it maycharge member CUs for the additional service.

The biggest personnel change has been to hire Steve Rowe, aformer security executive with Visa USA who has been recognized asan industry leader in the payment security field, Pottertonexplained. Rowe has testified before Congress on a wide variety ofcard security issues and has been acknowledged as an industryleader who will, to some extent, endeavor to speak for the industryabout different card security challenges.

If he takes on that role, Rowe will have no shortage of thingsto say. The credit union industry feels as frustrated as it doeswith the card security problem, in part because while the rest ofthe industry has seen fraud losses as low as six basis points perevery $100 spent on the cards, many credit unions remain very farabove that.

Lovingood walked attendees through things that she said theyprobably believed they already knew, but may not know as much asthey need to, to adequately protect their cards.

"Every one of us likes to look at our card program or our loanprogram or our deposit program and say 'we are good,'" Lovingoodsaid. "But we have to make sure we learn the difference betweengood and lucky and I have been in enough credit unions thatbelieved they were good and who only found out later that they hadreally just been lucky."

Lovingood took pains to cloak her remarks in optimism, pointingout that credit unions had long faced different fraud challenges indifferent parts of their business and had overcome them. "How manypeople in this room can remember how big a headache deposit fraudused to be," she asked to some nodding heads. "Well, we put theprocedures into place to bring that risk under control and we willwith card fraud too."

Lovingood then went step by step through CUNA Mutual's bestpractices for card security, covering everything from how creditunions count card fraud losses to making sure that staffers aretrained about proper card procedures. In one credit union shevisited, an employee had been told she would receive the card fraudalert faxes from Falcon, but was never really taught what to dowhen she received one or how to analyze the situation to preventfraud loss. "This was obviously a training problem," Lovingoodsaid, "but there was money in fraud losses walking out the doorbecause of it."

Another specific problem discussed involved credit unions whowere not sure their debit processors were verifying CVV/CVC codesand, if they were, whether the CU had instructed the processor todecline card transactions where the CVV/CVC codes did not match.CVV/CVC codes are security measures designed to ensure the cardaccount being debited was not being used fraudulently.

"A number of credit unions we speak to have been surprised thatmerely ensuring their processor verifies CVV codes doesn't meanthat they decline the transactions which fail CVV tests," explainedLovingood. "You have to make sure that transactions where CVV failsare declined." [email protected]