Global Payments Breach Impact on BanksExperts Recommend Top 3 Steps for Breach Response
For banking institutions, the payment card data breach that hit third-party processor Global Payments Inc. is just the beginning.
Now, in the wake of the highly-publicized incident, banks and credit unions have to ride the rough waves of customers' discontent and fears of possible identity theft and fraud.
What steps should banking institutions take to ease customers' concerns and contain any potential fraud? It all starts with account monitoring and customer outreach, says Matthew Speare, senior vice president of IT at M&T Bank.
"Many of these cards will not suffer any fraud against them," Speare says. "But you have to be proactive."
In the wake of a breach, experts say banks and credit unions should monitor accounts, and then determine when and if cards should be reissued. From there, it's critical they set strategic plans to communicate information about the breach with customers and members, clearly explaining the possibility of fraud linked to the breach.
Word of the Global Payments breach began to spread in March, when Visa reportedly notified card issuers about a third-party breach impacting an unspecified number of accounts. Since that announcement, institutions have been taking action to flag affected account numbers and contain anticipated fraudulent transactions.
In an announcement on March 30, Global Payments said it was the source of the breach. And during a conference call on April 2, CEO Paul R. Garcia said the payments processor had self-discovered and reported the breach to the major card networks in mid-March. It also clarified that the breach involved fewer than 1.5 million accounts, rather than the more than 10 million originally reported.
"We are making significant progress in defining and rectifying the event," Garcia said, describing the breach as "contained." He later said about the incident: "This is manageable ... we will get through this."
One card-issuing institution confirmed this week it has monitored accounts since March 23, once it was notified of a possible compromise. Until Global Payments went public, however, this institution had no idea about the source of the breach: "We can identify the acquirer, but with so many different [independent service operators] and many different [bank identification numbers] a single processor may use, for us, it is a needle in a haystack," the bank executive says. "These issues are the worst to deal with."
According to Global Payments, only Track 2 data was stolen in this breach. This distinction is significant because Track 2 data does not typically contain the cardholder's name - just account numbers. As one issuer says: "[Fraudsters] would have to fake a name and hope the issuer wasn't checking for name mismatches in their authorization process."
Institutions still need to be vigilant about committing resources to monitoring accounts, notifying customers and potentially even replacing cards if fraud is suspected.
3 Levels of Breach Response
Because the Global Payments breach has received widespread news coverage, banking customers already are asking questions such as "Are my accounts safe?" Here are the three steps banking/security experts recommend for breach response.
No. 1: Monitor Accounts - This is a bit of a no-brainer, and most card issuers are already doing it. But when presented with a group of potentially compromised cards, it's wise to determine what John Buzzard, who monitors card fraud for FICO's Card Alert Service, calls "the rate of fraud."
"If there are substantial fraud dollar losses already realized against a particular group of payment cards, then the issuer will want to take a more aggressive tack with managing the risk," he says. Few or minimal financial losses are, of course, always a favorable sign. But issuers should remain vigilant and mindful and closely monitor at-risk cards for several months, to ensure that fraud bust-outs do not occur after the hype of the breach has waned, Buzzard says.
M&T's Speare says fraud may never occur, but institutions have to monitor accounts for the short- and long-term. It's the obligatory first step. And it's a necessity before reissuance.
"I recommend that once a financial institution receives a [Compromised Account Management System] alert from Visa/MasterCard, that they begin active monitoring on the cardholder accounts for any signs of fraud before replacing [cards]," he says. "[Fraud] may never occur, but once it does, shut down the card, notify the customer and reissue. The bank owns the customer relationship, not the processor."
Ben Knieff, who oversees fraud prevention strategy for NICE Actimize, says most institutions rely on Visa's and MasterCard's alert files to proactively monitor high-risk accounts and cards. But they also should do more. "Raise alerts for behavior that is out of pattern," Knieff says. "This elevated monitoring may continue for some time, as fraudsters may allow the data to cool for some time before attempting use."
No. 2: Notify Customers - Communicating the possibility of a breach or compromise is critical. Again, the breach has been highly publicized, but one should assume nothing. If there is risk of fraud, then commercial and retail customers alike should be notified by their institutions, and the message needs to be consistent. "Consistency will save headaches in the long run," Buzzard says. "Every customer will favorably react to your message when it's delivered in a timely manner, in a trustworthy fashion and meets their needs as a cardholder."
But the messages for retail and commercial customers will, in many cases, differ.
With the commercial portfolio, institutions must evaluate the terms and conditions associated with the portfolio or portfolio segment and determine the best strategy for communication and reissue, Knieff says. "In some cases, it may be necessary to have much more direct, personal contact through relationship managers and involve the commercial client in the decision on whether/when to reissue."
For retail accounts, acknowledgement of the breach with information about social engineering concerns, such as phishing attacks, may be more appropriate. [See Global Payments Breach: What to Tell Customers.]
Overall, however, every accountholder should be provided with regular updates, and banks and credit unions should leverage their online banking channels to deliver consistent and secure messages about the breach and what they are doing to contain fraud and suspicious transactions, which requires the assistance of their customers and members.
"The customer receives notification that a secure message awaits them, so they log into their online banking session to retrieve the notice," Buzzard says. "This should be standard operating procedure."
No. 3: Replace Cards - If fraud is detected or likely, then it's time to move toward reissuing payment cards. Every institution has a plan in place for card reissuance, but internal baselines can differ. Cost is a factor. The baseline cost for replacement and reissuance of plastic is about $3 per card, but when fraud detection, monitoring and reissuance are joined - never mind the loss of productivity when institutions commit resources to account monitoring and customer notification - the reissuance cost can range between $200 and $250 per customer.
One issuer says some institutions are reluctant to jump the gun on reissuance, not because of cost, but because of customer and member backlash. "We're often challenged by customers who want to know who is responsible [for the breach], and we're unwilling to name the compromised entity unless the entity has self-disclosed," the source says. In the case of the Global Payments breach, because it is now public, some of this onus has been lifted, but the pressures still remain. Many customers don't distinguish that it's a third-party breach; they blame the messenger - their institution.
To ensure customers' and members' accounts are not burdened during the reissuance process, institutions should implement transactional limitations, such as only permitting ATM transactions when the breach has not affected PINs. "This allows the cardholder to still benefit from plastic until a replacement card can be shipped and activated," Buzzard says. "The risk is limited because the PIN was never captured during the original data theft."
The need to be proactive is the main point to remember, Buzzard says. And that means banks and credit unions should prepare for the possibility of reissuance. "We all tend to forget about simple things, like card stock and fulfillment materials," he says. "A major breach could easily leave card issuers gasping when they realize that they have more cards to reissue than they have available materials."