A recent study by First Annapolis Consulting Inc. found that 22 of the nation’s 30 largest debit card issuers are actively replacing cards in the wake of retailer Target Corp.’s massive data breach. Meanwhile, a suburban Chicago bank warned customers not to use their debit cards in Chicago taxicabs and had rejected $64,000 in suspect transactions from taxis.
• Banks and credit unions in recent years had been moving away from mass reissuance of payment cards after merchant or processor data breaches, preferring instead to ramp up transaction monitoring, according to First Annapolis. But that changed after Minneapolis-based Target disclosed Dec. 19 that it had been hacked and that 40 million payment cards potentially had been been compromised. Target also said non-card information on 70 million customers had been stolen.
“The high profile of the Target data breach and, in some cases, the rapid increase in fraud experience, has caused many financial institutions to make the proactive decision to reissue all, or a large portion of, affected cards,” says a new report from Annapolis, Md.-based First Annapolis.
Casey Merolla, senior manager specializing in debit and prepaid cards, tells Digital Transactions News that based on an informal survey of the top 30 financial institutions ranked by debit cards issued, First Annapolis found that 10 reissued both debit and credit cards, seven reissued debit cards only, one reissued just credit cards, and another four also reissued cards, with the type unknown. Only eight have forgone reissuance in favor of increased transaction monitoring for potential fraud.
First Annapolis, which did its survey based on conversations with bankers, press releases and other communications from financial institutions, did not estimate the total number of cards reissued. It did cite numbers from the Consumer Bankers Association, which has said its members replaced 17.2 million credit and debit cards at a cost of roughly $10 per card, and the Credit Union National Association (CUNA), which reported that credit unions have replaced 5.4 million payment cards at a cost of $30 million. That means Target-related reissuance has cost financial institutions more than $200 million, and that figure doesn’t include fraud losses.
Simply replacing the plastic card is the cheap part; most of the reissuance costs come from customer service, says Merolla. “The most expensive component is the time on the phone,” she says.
Implementing tighter transaction monitoring and approval parameters is much less expensive, she adds. But given Target’s huge customer base and the publicity around its breach, many issuers apparently concluded that reissuance to be the best first response.
• Elk Grove Village, Ill.-based First American Bank last week reported that it was seeing suspect transactions on its MasterCard-branded debit cards, and the common point of origin was Chicago taxicabs. First American on Feb. 10 first received 11 reports from cardholders about suspect transactions, says Christi Childers, associate general counsel and compliance officer. The bank then began monitoring transactions from Chicago cabs closely.
“As of late Friday, we had 478 tested and denied [transaction] attempts that amounted to $64,000,” she says, adding that she didn’t have a figure on confirmed fraud.
First American also did something unusual last Friday—in customer notices and a press release, it asked its customers not to use their cards when paying for Chicago cab rides until the situation was remedied. The bank had notified MasterCard Inc. about the suspicious activity and contacted the taxi companies—Taxi Affiliation Services and Dispatch Taxi, and learned that Bank of America Merchant Services (BAMS) was their processor. First American publicly identified BAMS and its joint-venture co-owner, Bank of America Corp. (The other is First Data Corp.)
Despite “repeated attempts to deal directly” with BAMS and BofA, “these companies have not shared information about their actions and appear to not have stopped the breach,” First American said. The bank also filed a complaint with the city of Chicago.
Childers says First American went public with its concerns in the interests of “protecting the customers…protecting their access to their money. We had to immediately shut down their cards. We wanted them to have uninterrupted access to their money. We couldn’t get the payment processors to stop processing for these companies.”
A BAMS spokesperson says by email that “Bank of America Merchant Services takes allegations of data-security matters very seriously and follows all industry rules and legal mandates to investigate issues. We continue to work and cooperate with our industry partners on this investigation. At this stage of the investigation, it has not been determined that a data breach of a merchant or any of our systems has occurred.”
A MasterCard spokesperson issued a brief statement saying, “We are aware of and investigating reports of a potential breach affecting taxicabs in Chicago. To be clear, MasterCard’s own systems have not been breached.”
And in yet another statement, Maria Guerra Lapacek, commissioner of the Chicago Department of Business Affairs and Consumer Protection, said, “We take the issue of credit card fraud and consumer protection very seriously and we intend to fully investigate these allegations to determine if they are valid and what, if any, further action is necessary.”
Spokespersons for cab companies either didn’t respond to Digital Transactions or couldn’t be reached for comment. According to First American, the cab brands involved include Yellow, Checker, Blue Diamond, American United and others.