Managing Card Compromises from the Issuer s Perspective

(1)

Managing Card Compromises

from the issuer’s Perspective

Industry insiders share tips for effectively

managing mass compromises

Large-scale payment card compromises and account data breaches continue to occur with frequency year after year, with the number of cardholders affected sometimes reaching startling levels. As a result, savvy card issuers have adopted a risk-based approach to managing these events. Instead of broad-brush methods, they’re using more focused, scalable and cost-effective methods that minimize the number of customers inconvenienced.

The success of these new methods depends on issuers having systematic processes for deciding which cards are most at risk for fraud, and for taking correct and timely actions based on these decisions. A recent FICO survey, however, suggests that more than 80% of issuers are struggling with various aspects of these processes.

This white paper synthesizes best practices shared with us by a task force of leading issuers working toward better management of card compromises. It covers tips for:

• Helping to identify the compromise location.

• Assessing the level of fraud risk for compromised cards.

• Minimizing loss and improving customer communication during reissue of high-risk cards. • Managing lower-risk cards over the longer term.

While our task force comprised US issuers, many of the tips here have proven successful for card issuers in other countries as well.

Number 60—June 2012

Recent card compromises have put as many

as 24 million accounts at risk

(2)

»

insights

Thefts of cardholder information that put large numbers of accounts in harm’s way have become a frequent item in the news and a constant fact of business life for card issuers. As shown in Figure 1, the favorite target of the moment shifts as criminals seek out the currently most vulnerable and relatively least risky (for them) points of attack.

In 2010, for instance, there was a concentration of PIN debit card compromises at US bank ATMs, too many of which were under-protected. Banks took measures to shore up defenses, however, and that, along with media attention that brought increased public awareness, seems to have shifted the focus of fraudsters back to retail point-of-sale terminals. In 2011, these again were the predominant locus for PIN debit card skimming. Meanwhile, in 2012 so far, the headlines have included a data breach at Zappos, a major online retailer, exposing as many as 24 million customers to the potential for fraud or identity theft. The aftermath of this crime has included plenty of media excoriation and several individual and class-action law suits against the company and its parent, Amazon.com.1_{A few months later, there were reports that up to 10 million credit}

and debit cards may have been compromised in a breach at Global Payments, a US-based credit card processor.2_{And at about the same time, the Massachusetts Office of Consumer Affairs and}

Business Regulation published a report showing that as a result of some 1,800 data breaches over the past 4 years, some 3.2 million people—nearly half of the state’s residents—have had their personal information lost or stolen.3

The impact on customer satisfaction from having transactions declined and cards blocked and reissued is obvious to anyone who spends a few minutes looking at consumer-oriented blogs or Twitter posts on the topic. The danger for issuers is that upset customers may switch to competitors. Full-service banks risk undercutting their own efforts at building multi-faceted, more profitable relationships with existing customers.

»

The Always-Changing,

Never-Abating Battle

US PIN points-of-compromise 2001–2011

FICO® Card Alert Service statistics

0% 20% 40% 60% 80% 100% 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 PERCENT A GE OF C ASES

LEGEND POS ATM—Non Bank ATM—Bank

Figure 1: Shifting fraud concentrations

“I don’t feel secure with that

bank any longer. I was upset,

haven’t got reimbursed for

the money lost and it caused

me the inconvenience of

filling out forms and waiting

(who knows how long?) to

get my money reimbursed.”

— Comment posted on

CNNMoney.com

April 17, 2012

1_{“Zappos, Amazon sued over customer data breach,” MSNBC, Jan 18, 2012}

2_{“Global Payments data breach exposes card payments vulnerability,” Forbes.com, April 3, 2012} 3_{“3.2m in Mass have had data lost, stolen,” boston.com, April 24, 2012}

(3)

»

insights

»

insights

The frequency and scale of these card compromises makes it essential for issuers to adopt risk-based responses. Previous broad-brush methods of blocking and reissuing all compromised cards are wasteful, costly and disruptive.

However, the challenge for financial institutions is how to know which cards are most at risk and

how to take proportionate, timely action that balances their fiduciary responsibility with the need to

minimize customer impact and operational costs.

A recent informal FICO survey of several hundred US financial institutions showed that the majority of institutions are struggling with these challenges. As shown in Figure 2, more than 40% of respondents cited decision making as the single greatest challenge in managing card compromises. Another 28% pointed to lack of automation and tools for taking systematic, efficient, targeted action. Customer communication was the biggest issue for 16% of the financial institutions. The best practices discussed in this paper address these three top challenges. They’re the “secret recipes for success” that 30 volunteer issuers from a FICO-hosted Managing Card Compromises Working Group found to be most effective at minimizing fraud losses, most work-friendly to their internal processes, and most customer-friendly to their cardholders.

To avoid blocking and reissuing cards unnecessarily, financial institutions need timely ways to determine the group of cards put at risk by a skimming event, data breach or other crime, and differentiate among cards in the group based on fraud risk level.

Identifying the point of compromise

To identify compromises that span the gambit from credit to ATM, many card issuers use fraud detection services, such as the FICO® Card Alert Service, while also creating their own tools and processes to aid in the early identification of at-risk cards. The following ideas are excellent examples of the procedures that many issuers have implemented to help identify a common point of purchase where the compromise is likely to have taken place.

• Examine six months of accountholder activity based on emerging fraud patterns that involve a specific geographic area or similar transaction type, like PIN POS (point of sale), signature POS or ATM.

»

A Risk-Based Response

Is Essential, Though

Not Always Easy

When to block and reissue Customer communication Lack of automation and tools Card fulfillment issues Not enough personnel

LEGEND 42% 16% 28% 4% 10%

Figure 2: Issuer top challenges in managing card compromises

»

Issuer Best Practices

for Risk-Based

Decision Making

(4)

»

insights

»

insights

• If you have a group of cardholders linked to the same fraud case, review the histories of the newest cardholders first. New cardholders tend to have significantly less transactional history to review, so starting with them can save time and increase accuracy.

• Make every attempt to ignore nationally known merchants until you have exhausted all other possibilities. Large numbers of transactions conducted at nationally recognized merchant locations can impede the outcome of the analysis.

• If several cards in a combined case have only been used once at a specific location, there is a higher likelihood that one of these locations will be the point of compromise.

• Examining the unique transaction dates of the known fraud cards tied to a common point of purchase can help to identify a compromise date range.

For example: Fraud card A performed a single transaction on April 01, 2012, at the suspected point of compromise. No other fraud cards were used at this location prior to this date. Fraud card J was used once on July 04, 2012. No other fraud cards were used at this location after that date. Compromise date range would likely be April 01, 2012, to July 04, 2012.

• Use the suspected point of compromise date range to identify all cards transacting at that location within that window of time. These are the “at-risk” cards—the highest-risk cards associated with the compromise location.

• It may be helpful to contact local card issuers and ask them if they are seeing the same patterns and compromise date ranges.

Assessing the fraud risk

Card issuers have to be able to evaluate the current risk picture on a daily basis to determine what fraud-mitigating actions to take next. The following best practices help with the assessment of current losses, while enabling the issuer to logically prioritize a workflow and thereby avoid the inefficiencies of working the same card more than once.

• Determine the rate of fraud (ROF) for the group of at-risk cards. Examine all cards to see how many of these accounts have already been closed because of fraudulent activity. Divide the number of cards with fraud by the total number of cards in the compromised group to find the percentage. Card issuers should individually determine what ROF percentage will escalate card reissuance.

For example: 850 cards appear on a fraud alert from a third-party service. Of these, 283 cards have already been closed due to fraud or reported as fraud by customers. Dividing 283 by 850 results in a 33% ROF.

“I am simply too busy to

keep revisiting a single card

much less second-guess my

decisions. I have to be able

to make a fast decision

and keep on moving to my

next task.”

— Member of the

FICO user community

(5)

»

insights

• Revisit your fraud strategies and fraud claims in tandem. Review current fraud claims tied to the compromise to see if these fraud losses are already managed by current fraud strategies. Issuers may need to perform a full card reissuance if existing or new fraud strategies are unable to mitigate the losses.

• Look at risk exposure on “closed” and “open loop” payment cards. Preemptive action to reissue these cards is generally not advisable unless there are substantial numbers of them with preloaded values of $300 or more. Determine in advance how many fraud claims will be necessary to initiate more aggressive card reissuance. Below this threshold, at-risk prepaid BINs should remain in the fraud review process to monitor the ROF and take action if it rises above the threshold.

• Sort the entire group of cards by expiration date. Those naturally expiring within the next 30 to 90 days should be reissued immediately, as a simple, routine replacement. This technique removes these cards from those requiring explicit anti-fraud treatment. At the same time, it eliminates a substantial amount of the near-term fraud risk—criminals also sort groups of compromised cards by expiration date so that they can use them before expiration. • Look at how recently fraud losses from this compromise have occurred. Compromised

cards that are fraudulently transacting today represent a far greater risk potential than compromised cards that have already peaked in terms of fraud spend.

• Isolate and remove any cards that have already been reissued for any reason AFTER the date range of the compromise, since there’s little risk of fraud on these cards.

• Determine if this group of at-risk cards represents immediate risk potential. Calculate the fraud exposure by multiplying the number of remaining at-risk cards against the average fraud loss from the cluster.

For example: In a compromise group of 1,000 cards, 250 cards have been closed due to fraudulent activity with an average loss of $378 per card, resulting in a current overall loss of $94,500. Loss exposure for the remaining 750 open cards would be $283,500.

• Identify cards that are involved in more than one compromise, which significantly escalates the odds for unauthorized use. Cross-counting the number of compromise events is, therefore, a recognized method of determining when to reissue. Reissue is recommended when:

• An account has been involved in both a card-present and a card-not-present event within the last 365 days.

• An account is listed on more than three compromises, which also significantly escalates the odds for unauthorized use.

(6)

»

insights

Once issuers have separated cards within a compromised group by fraud risk, they have the means to take efficient, targeted actions to mitigate that risk.

Reissuing higher-risk compromised cards

• Identify cards associated with high-net-worth customers. These cards should generally be reissued promptly. Prompt action not only reduces exposure amounts, it also provides an opportunity to demonstrate excellent service and interact with valuable customers.

• Do not reissue directly sequential card numbers. Randomizing the card number sequences and expiration dates can help to prevent one card from being used to exploit hundreds more by criminals who try to guess an issuer’s card or expiration date practices.

• Avoid reissuing cards with the same card number/PAN (primary account number). Be sure to include a new CVV/CVC within the magnetic stripe to maximize the security of the newly issued card.

• Limit certain transactions during the reissuance process. (Check to make sure that this practice does not conflict with federal or state regulations.) Limits should be based on the nature of the compromise.

For example: If the compromise involves PIN capture, block PIN transactions for high-risk cards. The cardholder would still be permitted to make signature transactions until the newly issued card is activated.

• Consider lowering daily limits until a new card can be activated by the cardholder. Lower limits reduce risk and may not even impact the typical cardholder, who never fully maximizes daily limit thresholds.

• Eliminate delays by making sure that all components of the card fulfillment process are ready for immediate action.

• Set up “digital” plastics or “white” plastics where the card artwork is applied to white card stock at the time it is produced/embossed.

»

Issuer Best Practices

for Managing Risk with

Efficient, Targeted

Action

Figure 3: General decision guidelines based on compromise type

Compromise Type Risk Potential Recommended Action

Full track data & PIN High risk of PIN counterfeit fraud

Perform full card reissuance

Magnetic stripe only High risk of point-of-sale (POS) fraud

Undertake risk assessment at individual card level to determine appropriate risk mitigation actions Create business rules for high counterfeit risk and isolate cards from general portfolio

Consider reissuing higher-risk cards Non-magnetic stripe

(account number, CVC2, expiration date)

Risk of money order/tele-phone (MOTO) or card-not-present (CNP) fraud

Undertake risk assessment at individual card level to determine appropriate risk mitigation actions Create business rules to combat CNP fraud

(7)

»

insights

• Make sure there is adequate card plastic in stock at all times for a major card reissuance. Some recent data breaches have caused considerable delays in card reissuance due to overwhelming demand.

• Have envelopes and other printed materials available in adequate quantities to support a major card reissuance.

• Create statement inserts using on-demand printing methods to eliminate the need to keep large amounts of supplies on hand and enable product/agreement/disclosure changes to occur more easily. Consult card fulfillment partners to see what options are available.

Monitoring and managing lower-risk compromised cards

Most compromised cards that are not reissued should be monitored for a period of time. Watching for a rising ROF and subjecting the cards to additional rules or detection enables issuers to manage their elevated fraud risk. Here are some tips from Working Group members to more effectively perform these critical functions of reissuance and monitoring:

• Create a database and import all at-risk cards not undergoing near-term reissuance.

• Feed the database daily with emerging information, such as fraud claim data, confirmed fraud transactional data and closed card vs. open card data.

• Review the updated data on a weekly basis to identify any cards where fraudulent activity is increasing to the point where more aggressive action is required.

• Use a decision matrix to determine when to elevate the level of response. Factors might include gross fraud losses that meet a predetermined threshold amount, or ROF that increases to a certain percentage.

• Take action when the fraud patterns being seen are not easily controlled with current fraud strategy rules.

For example: A fraud rule that was created to deny transactions in a specific country now needs to be expanded to include other countries where the fraud has shifted since the original rule was written.

• Use flagging as an alternative or supplement to database monitoring. • Flag cards when fraud alerts are received.

• Process flagged cards through additional anti-fraud strategies that focus on locations where the flagged cards are transacting.

For example: Write an “out-of-band” rule to identify any transaction on a flagged card that occurs 100 miles or more from the cardholder’s address.

(8)

»

insights

• Write rules that apply flags to transaction elements, such as merchant category codes (MCC), authorization amounts or velocity of certain types of activity. For signature POS transactions, for example, such rules might include:

• By MCC, card present, >$99, > 300 miles from home address. • By MCC, card present, >$99, in a specific state or country. • Gas transactions (5541), > or = 3 transactions in 24 hours.

• Set expiration dates on flags to prevent continuous, needless monitoring. Regularly review soon-to-expire flags in case any require a time extension.

Review daily reports that highlight current and changing status on the most risky aspects of compromised cards. These might include custom reports on all international card-present transactions and all transactions declined due to authorization-blocking rules.

Financial institutions today are acutely aware of the need to improve communication with customers. It’s the bedrock of their efforts to retain and build more profitable relationships. There are some excellent new ways to do this, thanks to technology advances and the broad acceptance of mobile devices with SMS (short message service) and other texting capabilities. More and more financial institutions are leveraging these to add innovative methods to their traditional modes of customer communication. Here are some tips from Working Group members for communicating with customers effectively during management of card compromises:

• Account alerts. Encourage cardholders to set up their own accounts for alerts to be delivered in real time via their preferred communication channel (email, smart phone via SMS, etc.). Account alerts are valuable communication tools for instantly reaching cardholders to advise them of a significant transaction, like a high-dollar ATM withdrawal, that could be fraudulent. • Secure communication. Recognize that the most secure way to communicate with your

customers is by posting all confidential communications inside a secure online banking website. Require customers to sign in and pass authentication challenges before viewing sensitive messages.

• Communication templates. Create communication content, such as call scripts, letters and FAQs in advance, to be able to reach out to cardholders at a moment’s notice in the event of a variety of fraud schemes. Make sure legal experts review all content before it is distributed to customers. As a starting point for issuers, FICO has posted a sample call script, notification

letter and online banking FAQ document on the FICO Banking Analytics Blog.

»

Issuer Best Practices

for Customer

Communication

Effectiveness

(9)

»

insights

For maximum fraud defenses—both proactive and reactive—rely on these fully integrated FICO solutions:

FICO® Card Alert Service is an issuer-based ATM fraud detection service in the US. It analyzes daily ATM transactions across a network of more than 10,000 financial institutions to pinpoint common points of compromise, while also identifying at-risk cards before the majority incur losses. The service analyzes more than 65% of all daily ATM transactions in the US.

FICO® Falcon® Fraud Manager is the most accurate and comprehensive solution for detecting payment card fraud worldwide, reducing losses by up to 50%. The solution detects fraud across multiple channels (online banking, ACH, branch, etc.) and for both credit and debit cards. It includes cutting-edge analytics that adapt detection to changing fraud patterns and cardholder behavior in the production environment, enabling the detection of up to 44% more fraud.

How FICO Solutions Help FICO® Card _{Alert Service} FICO® Falcon® _{Fraud Manager}

Protects against multiple counterfeit card fraud, skimming and mass compromise risk

_r

Identifies card and PIN compromise locations at POS and ATM terminals, merchants

and processors

r

Analyzes multiple card ATM withdrawal patterns to identify counterfeit card fraud

across a wide spectrum of issuers

r

Performs predictive risk analysis of compromised cards based upon fraud patterns

affecting multiple issuers

r

Protects against multiple types of card fraud, including card not present, cross-border

fraud, counterfeit fraud, lost and stolen card fraud

r

Profiles individual cardholder behavior, merchants and ATM devices to detect the

most credit and debit card fraud at the lowest false positive ratios

r

Prioritizes fraud alerts to enable assignment of fraud operation resources to cases

that are most likely to be fraud

r

Flags cardholder accounts to identify and segment compromised cards for

specialized monitoring

r

Enables the development of unlimited rule strategies to manage flash fraud and

compromise events

r

(10)

»

insights

The Insights white paper series provides briefings on research findings and product development directions from FICO. To subscribe, go to www.fico.com/insights.

For more information North America toll-free International email web

+1 888 342 6336 +44 (0) 207 940 8718 info@fico.com www.fico.com

»

insights

Large-scale payment card compromises and account data breaches have become an unfortunate feature of modern life. Savvy issuers have responded by adopting risk-based management approaches that are scalable and cost-effective no matter how many cards and accounts are affected. These methods balance fiduciary responsibility with the need to minimize customer impact and operational costs.

The better the issuer handles the details of risk-based compromise management, the greater the benefits to the institution and its customers. Issuers adopting best practices and refining them for their particular requirements gain advantages in loss mitigation and customer satisfaction. Learn more:

• Join the fraud discussion on Fraud Alert Network. Registration is complimentary, and restricted to law enforcement and financial institution personnel.

• Participate in the free monthly fraud webinar, “Combating Fraud Through Peer

Communication.” The series allows hundreds of financial institutions to share thinking on

fraud trends and prevention tactics in a noncompetitive environment.

• Download Insights papers on the latest thinking in fraud management, originations decisioning, mobile communications and other issuer-relevant topics.

• Subscribe to the FICO Banking Analytics Blog for additional information on fraud threats and anti-fraud best practices.