In the recent string of news stories about massive thefts of payment card data from retailers and other organizations, one of several causes for alarm is this: Only a small percentage of the compromised cards resulted in fraud.

While the currently low odds of compromised cardholder data being used for fraud might seem reassuring, it’s actually anything but. In fact, it creates a situation that is dangerous, costly, and perplexing for card issuers and consumers alike.

Card replacement costs vary from $3.50 to $30 per card. These expenses can have extremely negative effects on institutions of any size depending on the scope of the compromise. The erosion of consumer confidence adds heavily to the final tally, creating an immediate need to restore faith in the security and convenience of payment cards for both credit and debit varieties.

Reducing the impact to customer loyalty

The idea that responses to mass compromises should be timely and effective is at the heart of the financial services industry’s reticence regarding the proliferation of notification laws now being enacted at the federal, state and local levels. Credit card issuers are concerned that undifferentiated broad-scale notifications could alarm many customers unnecessarily, resulting in overreactions that may well cause not only expense for the consumer but undesirable market volatility.

Anecdotal evidence from financial institutions after large-scale breaches supports the possibility of negative portfolio impact. However, companies can do a lot today to reduce negative customer loyalty impacts.

Detection solutions, such as Fair Isaac’s Falcon® Fraud Manager, can replace broad-brush, undifferentiated notifications with informative, helpful identification of the level of fraud risk for each customer, and are coupled with concrete actions to mitigate that risk.

By putting in place the means to respond appropriately to mass compromises, commensurate with the actual risk to individual accounts, the financial services industry may also lessen demands for legislative remedies.

Blocking versus monitoring

Many card issuers struggle with the options provided to them for handling cards that have been exposed to some form of data theft. The card associations as well as Fair Isaac’s CardAlert Fraud Manager service identify millions of cards each year that are earmarked as “at-risk” cards. Being at-risk is not a guarantee that a card will eventually be used for a fraudulent purpose, but it is a very good reason to monitor the card closely for any suspicious behavior.

Fair Isaac suggests that every at-risk card be loaded into your fraud detection system in a hot list so that unauthorized activity can be identified as quickly as possible. A hot list is also a good way to monitor extremely large batches of cards until there is suitable time for blocking and reissuing new cards.

At-risk cards that are not blocked and reissued should always be loaded into your fraud detection system in a hot list and monitored for future fraud activity. This sample action plan shows an issuer’s monitor/closure and reissue strategy.

Blocking may not always be necessary, but a proactive and ever-changing fraud monitoring strategy is essential for every card-issuing organization.

Here are some additional best practices to consider:

• Reissue cards that appear in block-and-reissue reports that have pending expirations dates first. Reissuing the cards a little early may help reduce losses from strategic attacks that focus on cards near expiration date.
  
• Reissue high-net-worth accounts as a priority to reduce dollar losses. This may be advantageous if unique BINs have been assigned to accounts that fall into this category. These customers also generate the most interchange and have unusual spending patterns. It is important to keep your card at the top of their wallets.
  
• Deny fraudulent transactions in real time to quickly discourage criminals from using cards issued by your institution. Criminals will generally discard an issuer’s inventory early if their cards are getting denied.
  
• Determine the percentage of fraud accounts from a compromise you consider excessive, so you can make a balanced decision before embarking on a large block-and-reissue.
  
• Join the new CardAlert Fraud Manager Online Community, where more than 4,200 members regularly share fraud trends and helpful information each day. 
  
• Call Fair Isaac’s CardAlert Fraud Manager Team directly at 1-800-440-4227 for assistance with any counterfeit debit card skimming situation.

“In the middle of difficulty, lies opportunity”

If ever there were a moment for the financial services industry to follow Albert Einstein’s famous recipe for success, this is it. The emergence and potential growth of mass compromise fraud is a perilous situation, which card issuers can nevertheless turn into a win for both the industry and its customers.

The opportunity here is for issuers to apply to mass compromise response the same kind of analytic precision they use in other areas of their business—acquisition, credit line management, transaction authorizations, retention—differentiating customers by risk in order to assign appropriate risk-based strategies.

By adopting this approach and educating consumers and legislators about its benefits, card issuers may prevent vastly inefficient methods from becoming institutionalized, with consumers bearing the long-term costs. There is also competitive advantage to be gained, with early adopters able to position themselves as leaders in solving a very high-profile problem that has very high mind share—and emotion share—among the public.

Michael Urban is a senior director in Fair Isaac’s Fraud Solutions group. To learn more about managing data breaches and card compromises, download the full Fair Isaac white paper on which this article was based, Risk Management for ATM & Card Compromises.