Technology has revolutionized worldwide communications and the manner and speed in which we transact business in our professional and personal lives. It has also provided new and fertile opportunities for criminals to commit acts of thievery on unsuspecting individuals and businesses.
The recent burst in plastic card fraud is continuing, seemingly unabated. Much of the increase can be attributed to the theft of debit and credit card information from databases being retained in violation of card association rules at several nationally known retailers. Other fraudulent activities such as “phishing” and counterfeit “skimming” have compounded the losses.
Security breaches leading to plastic card fraud are having a significant impact on credit unions and members. There’s been much publicity over the past several years about database thefts at nationally known retailers including BJ’s Wholesale Club, DSW, Chipotle’s and Polo Ralph Lauren. And earlier this year, breaches at two additional major retailers resulted in hundreds of thousands of compromised accounts and resulting fraudulent transactions and the expense of blocking and reissuing of thousands of debit and credit cards.
The consequences of computer breaches are damaging and costly. Combined, these breaches allowed millions of dollars in fraudulent transactions and put millions of consumers at risk of becoming a fraud victim or having their identity stolen.
When informed of the breaches, credit unions, banks and other card-issuing institutions have scrambled to either closely monitor compromised card accounts for fraud or cancel them and reissue new cards with new account numbers. Replacing plastic cards is a painstaking and expensive process costing institutions as much as $25 or more, per card.
The Cost of Fraud to Credit Unions
As fraud escalates, CUNA Mutual becomes increasingly concerned. CUMIS Insurance Society, Inc., a member of CUNA Mutual Group, is the fidelity bond insurer for more than 94 percent of all U.S. credit unions. We pioneered plastic card fraud coverage to our Credit Union Bond policyholders.
Our total paid plastic card claims for 2005 were more than double those paid in 2003, and 54 percent higher than those paid in 2004. Losses in 2006 are already ahead of last year's pace.
What’s most troubling is that the worst may be yet to come. Our plastic card coverage was designed to cover catastrophic loss, not merely transfer the ongoing expected losses to us as an insurer. Consequently, we are being forced to tighten underwriting standards and increase deductibles and rates for policyholders with the most significant losses.
These changes simply reflect the increased amount of fraud, the lack of loss prevention in place and our effort to preserve this coverage, which can no longer be offered on the basis it has been in the past.
Fighting Fraud is a Shared Responsibility
Closing security breaches and mitigating losses is CUNA Mutual's number one priority, but we can't do it alone. We found in our discussions with credit unions that many believe they have all the necessary security measures set up, only to find after digging into the details, that it is not the case. We need credit unions to take action today.
Credit unions that don’t currently have a plastic card fraud problem should not assume they won’t. They should use every available fraud prevention tool as effectively as they can. 24/7 vigilance is key.
Following is a brief summary of the most critical best practices CUNA Mutual strongly recommends credit unions immediately adopt:
- 24 X 7 review of potentially fraudulent activity – This goes beyond simply having a fraud model or rules that "score" a transaction around the clock. 24 x 7 review means having the ability to take action on alerts any time, day or night.
- CVV (Visa) and CVC (MasterCard) Validation- Card associations require that CVV/CVC be validated for all signature transactions when credit and debit cards are presented at a point of sale. What many credit unions don't realize is that CVV/CVC should also be checked for PIN-driven transactions at both merchant and ATM locations. If credit unions do not check CVV/CVC on PIN-debit transactions, members can be duped into providing their name, account number, expiration date and PIN number to the criminals – that's all they need to commit fraud.
- CVV2/CVC2 – This three-digit code on the cardholder’s signature panel is used to authenticate Internet, mail, telephone and key-entered transactions. These should be declined when a mismatch occurs.
- Daily Limits – A criminal with access to a working card will spend every dime as quickly as possible. Establishing and enforcing daily limits is a critical measure that puts a lid on fraudulent activity.
- Compliance/Recovery – Most credit unions aren't asserting their rights to recover fraudulent losses from merchants that improperly store card data and later suffer a compromise that puts member data in the hands of organized, high-tech crime rings. Increase pressure on merchants by holding them accountable for irresponsible data management and violation of card association compliance rules.
- Name Matching – Set up the authorization system to decline for all card programs when the name transmitted on the magnetic stripe doesn’t match the cardholder’s name stored on the credit union’s master file.
- Exact Cardholder Expiration Date – An expiration date mismatch should be set to decline for both swiped (magnetic stripe read) and manually-keyed transactions.
- Card Activation – Use an effective activation procedure for all credit and debit card programs, such as PIN-driven or calling from a home phone.
- Address Verification Service (AVS) – Support the AVS tool to allow mail, telephone order and Internet merchants to automatically match a cardholder’s billing address to the shipping address.
For the sake of credit union members everywhere, we must all do our part to help stem this rising tide of plastic card fraud. We will continue to communicate with policyholder credit unions about this vitally important issue. For more information in the meantime, visit www.cunamutual.com or call 1-800-637-2676.
Marc Krasnick, is senior vice president, Credit Union Protection, with CUNA Mutual Group. He can be reached at 800-937-2644, ext. 7161, or at firstname.lastname@example.org.