One industry analyst has already called it the “absolute worst hack ever,” even though its full extent is still a matter of speculation. Others are less extreme in their characterization, but acknowledge that another online security threshold has fallen.
“It” is the continuing story in the financial services press of a large-scale debit card fraud that began a few months ago with an apparent “security breach” of payment transactions in the systems of one or more retailers. That incident resulted in a massive electronic theft of debit card numbers and their associated PIN data, and a subsequent rash of fraudulent ATM withdrawals on three continents from affected
accounts. The institutions involved have since closed many thousands of accounts and reissued debit cards as precautionary measures, but otherwise are crossing their fingers and hoping to limit any further fraud losses. Early estimates range north of 600,000 consumer accounts that may have been “compromised” and put at risk of fraudulent transactions.
This is not the first reported instance of large-scale fraud against PIN-based debit cards, nor even potentially the worst, analyst hyperbole notwithstanding. In the autumn of 2005 a similar incident occurred involving debit transactions at Sam’s Club, a division of Wal-Mart, which affected potentially “millions” of debit cards. In both cases only scant information was released about the parties involved or the extent of actual losses. This second episode, however, appears to have confirmed beyond a reasonable doubt that debit card fraud is a clear and present danger.
What makes these incidents so alarming to financial institutions and industry observers, beyond their potential scope, is that until now PIN-based debit cards were considered relatively safe from such fraud attacks, owing to their presumably higher level of security than signaturebased cards.
Debit card fraud used to be limited primarily to lost or stolen cards because of the PIN factor, but not anymore. That myth has now been shattered, and apparently on a very large scale. To the extent that issuers have relied on that presumption of security and minimized their fraud prevention and detection efforts for debit cards, they should now pause to revisit their policies and technology capabilities for
combating debit fraud, to ensure that they are as comprehensive, up to date, and effective as possible.
Card Issuers: Caught Between a Rock and a Hard Place
It is entirely possible that these breaches were the result of retailer laxity and failure to abide by industry security standards, but that provides little solace to customers whose accounts may yet be attacked. Numerous surveys indicate that customers overwhelmingly expect their financial institutions to be ultimately responsible for card security.
In such circumstances perception usually becomes reality, and institutions must therefore be prepared to validate that they are assuming this “fiduciary” role seriously, and taking all necessary and prudent steps to safeguard their customers’ financial information. Otherwise they risk widespread alienation and decline in card usage, thus severely debilitating their objectives of reducing operating expenses by migrating customers to electronic payments.
But therein lies the rub. Anti-fraud campaigns and technology initiatives are not inexpensive, and institutions are under intense competitive pressure to keep their expenses down as they upgrade and transition their system architectures over the next several years. How can they
balance the demands to control debit card (and other electronic payment) fraud with the equally powerful forces that are demanding a lean, mean, and streamlined operating structure?
Traditionally, card issuers delegated responsibility for antifraud initiatives to individual business units. Programs were thus inconsistent and/or redundant, and dedicated understandably to their respective vertical business requirements. With no overall coordination at the “institution” level it was virtually impossible to oversee risks of fraud that spanned multiple business units, or rolled up into fraudulent customer accounts.
The department-specific methods were certainly effective within limited parameters, and no doubt constituted reasonably strong “front lines” against fraud; but the changing nature and customer-focused emphasis of organizational business models, as well as the growing technological sophistication of fraud, now require a more horizontal, cross-business, enterprise-level means to combat fraud. Institutions are realizing that they must identify and stop potential fraud efforts as early in their “lifespan” as possible, in real time, and share such information among
business units and across systems in a cost-effective and integrated fashion.
Needless to say, this situation poses a vexing and continually shifting problem to issuers: what is the “right” balance between cost and benefit on the one hand, and customer security and acceptance on the other? What role should technology play, and how much responsibility should be passed to customers? How can issuers weigh and evaluate alternatives (and thereby develop a coherent and effective anti-fraud strategy) without appearing to be hammering randomly at pop-up clown heads?
Risk Management Framework
This paper seeks to present such a framework for debit card risk management, and a realistic approach that card issuers can take toward controlling or at least mitigating their related fraud issues. It focuses on the development and maintenance of an optimal balance between risk mitigation and customer convenience, and seeks to identify the criteria debit card issuers should utilize in making any trade-offs. The
paper addresses debit card fraud exclusively (both PIN-based and signature-based) as opposed to credit cards, ACH or other electronic payments, and covers only consumeroriented risks and tools, as opposed to corporate client tools. This is not only to manage scope, but also because corporate clients are not yet prolific users of debit cards, and authentication/protection tools already in place for corporate customers are stronger than those for retail customers.
Finally, the paper considers only the perspective of debit card issuers, as opposed to acquirers, networks, card associations, merchants or third-party participants. In that regard, the author has endeavored to use the generic terms “financial institution” or “card issuer” wherever possible. However, since most debit card issuers are banks, the term “bank” should be considered synonymous with “issuer” wherever it appears.
Printable version
