Monday, December 23, 2013

Target Data Breach: Perspective of the Financial Institution

Yet another big data breach has been announced. This time the data breach is from Target, one of the largest retailers in the country. The number of credit and debit cards at risk are over 40 million per the retailer's estimates. The timeline for data theft was from November 29th through as late as December 15th at their retail stores across the country.

These data breaches are not good for consumers, but they really hurt the ultimate victim which is the financial institutions themselves who issue the credit or debit cards. Why? It is the financial institutions that must eat the costs of fraud losses, card replacements, and employee manpower in responding to these data breaches. If a $500 fraudulent transaction takes place on a North Alabama Educators Credit Union member's account that member will receive their $500 back into their account upon dispute of the unauthorized transaction. The credit union has to cover the $500 loss plus the cost of reissuing a new card. For a large exposure list like this Target breach you are talking about hundreds of member card accounts in our case that must be blocked and reissued. That takes valuable employee time and expense to correct a situation that was neither the fault of the member's or the credit union. A breach of another local retailer recently produced fraud losses in excess of $30,000 for the credit union. It is the financial institutions that are bearing the greatest costs associated with these data breach incidents. Most of these costs need to be shifted back to the merchants responsible for allowing the data theft. This can be done either through civil litigation or regulatory actions to hold merchants responsible for their loss of consumer data.

The tricky part about replacing compromised cards is that members are still using their old cards. The credit union tries to avoid the situation where we have to block a card first and then mail out a replacement card. Obviously if fraud is already taking place on a specific account we would have no choice but to block any and all activity using that particular card. The credit union recently had an area retailer that was identified by law enforcement as the source for stolen card data that was resulting in fraudulent transactions taking place very quickly. In cases like this, the credit union had no choice but to block any cards that had been used at the establishment. This can result in members receiving a card transaction denial for a transaction. We are working on a better notification system to notify members either by phone, email, or text when these type situations develop.

Something is going to have to change to reduce these fraud losses. Retailers need to be held accountable. More restrictions such as reduced daily card limits and requiring PIN based transactions for certain merchants/locations may become a reality also. VISA and MasterCard would like to have their cards treated like cash and do not want picture ID's and other verification steps utilized to validate a consumer. The business model for the card payment industry is going to have to change however for financial institutions since these large financial losses are hurting financial institutions. It is hurting North Alabama Educators Credit Union for certain. Be looking for debit card usage changes in 2014 as a result.