Q&A: Best practices for dealing with card compromises for FIs
Breaches in the financial services industry have increased 60 percent in the past year. So the chances are pretty good that your financial institution will need to deal with a card compromise at one point or another.
Taking proactive steps to come up with best practices to deal with a potential card compromise can make a big difference to your financial institution’s bottom line. Cardholder compromises are the top source of fraud, and the average cost to financial institutions for a breach is $245 per each lost or stolen record. Furthermore, one out of two consumers switch financial institutions after experiencing identity theft, according to the Aite Group
Like most of your industry competitors, your institution likely already employs technology solutions and people resources to protect your cardholders and your reputation. Still, it’s a good business practice to have a plan in place in the event that your issued cards are compromised.
To get some guidance on the topic, we spoke with security experts Eric Stowell, Vantiv Data Fraud Analyst, and John Winstel, Vantiv Senior Product Manager. Following are some highlights from our conversation.
Q: What steps should an FI take when they learn that a breach has occurred?
A: More than likely, an FI’s payment processing partner will discover the breach before the FI does, and will notify the FI of the occurrence. The first thing an FI should do upon learning that a breach has occurred is identify the cards in their portfolio that are impacted by the breach.
Next, if the FI’s payment processing partner manages their fraud strategies, the FI should alert their processor of the breach and the impacted cards. This way, the processor can flag these cards for more stringent fraud monitoring strategies, since cards that have been affected by a breach have a higher likelihood of ongoing fraud.
Then, a decision needs to be made regarding card reissuance. With all the breaches occurring today, as well as the increased cost of cards, the decision to reissue isn’t as simple as it was a few years ago. The two key factors to consider are how many cards are compromised, and how much money is the FI losing to fraud.
From a best practices standpoint, it’s a risk-based assessment. Card reissuance can be expensive and can also have a negative impact on cardholders. But weighed against the institution’s average fraud loss, it could be worth it.
It’s important to determine the tipping point based on the institution’s fraud rate. For some, a three percent fraud rate might be the point where reissuance becomes necessary; for others, it may be as high as 10 percent. All of these factors should be considered, and FIs should work with their processor to see if they can provide insights to the fraud run rate related to that specific breach.
Lastly, it’s important to understand what information was obtained in the breach. For example, did the fraudster get Track 1 and Track 2 data on the card? Is it a CNP breach where the fraudster now has access to CVV2 as well as user names and passwords? The answers to these questions will also help inform the card reissuance strategy.
Q: What are some of the mistakes FIs make when addressing a breach?
A: There are two common mistakes FIs make following a breach. First is not taking the time to review the fraud run rate of the breach. As mentioned above, this is an important factor in the decision about whether or not to reissue cards. Second is not notifying their processor of the breach and thereby failing to create fraud strategies to more closely monitor cardholder activity. Reputable processors like Vantiv have many tools and strategies to help FIs monitor fraud activity and mitigate their risk.
Q: How can an FI protect their reputation and reassure cardholders amidst largescale breaches like the one that occurred with Equifax?
A: Begin by acknowledging what happened and inform cardholders about the steps being taken to prevent a breach from happening again. Promote the use of card controls and other ways for cardholders to protect themselves. FIs may also want to offer credit monitoring services such as Lifelock.
Q: After a breach has occurred, what can an FI do to re-instill trust with their cardholders?
Re-instilling cardholder trust is very important in order to prevent further damage from a breach. First, be sure to explain why their card is being reissued. The reason, of course, is dependent upon your reissue strategy.
Next, educate your cardholders about proactive ways they can protect themselves. For example, they can review their account statements more closely, pay bills on your secure online portal, and let you know when they are traveling. Make sure your cardholders are aware of phishing scams and other common fraud threats. Research shows that most consumers are receptive to taking fraud control into their own hands— 70 percent feel they are equally responsible for protecting themselves against credit and debit card fraud as the card companies.
Additionally, encourage your cardholders to use your institution’s antifraud tools. For example, FIs that partner with Vantiv have access to mobile fraud notifications and card controls that help reduce fraud and increase card usage.
It’s important to note that FIs should be cautious about giving legal advice related to a breach. If the wrong advice is given, the FI could end up being liable and sued by the cardholder. Always let cardholders know about the risk, and be clear about what your institution is doing to mitigate that risk.
Q: What can an FI do to mitigate the effects of a breach and prevent one from happening in the first place?
A: One of the most effective things an FI can do to mitigate the effects of a breach is to work closely with their processor to develop and implement effective fraud fighting strategies. In order to protect themselves from being targeted by fraudsters, FIs will want to make sure they have strong protections in place and have a team dedicated to monitoring security for their institution.
To find out more about the tools and technologies that can help your financial institution prevent a cardholder breach and mitigate the effects if one does occur, contact Vantiv.