Survey: Mass Reissuance May Be Overkill in Merchant Breach Cases

A recent survey indicates debit card issuers may be overreacting to database breaches that compromise card data held by merchants. Nine out of 10 debit card issuers have received notice in the last few years that their cards could have been compromised in a breach, and of these, some 87% have reissued cards. Just over half of the reissuing banks did so automatically, that is, they issued new cards to replace compromised cards without waiting to see if the linked accounts experience fraud. One-third reissued cards only for selected accounts after fraudulent activity occurred. Only 13% of notified issuers didn't reissue at all. That's according to a survey of 55 debit card issuers of varying sizes conducted by Dove Consulting for Pulse EFT Association LP, a Houston-based electronic funds transfer network owned by Discover Financial Services LLC. Yet, on average, just 8% of cards issued by notified banks may have been compromised, according to the survey, and the fraction of cards that ultimately sustain fraudulent activity is very low?less than 5% of those compromised. “Merchant breaches have taken a toll on issuers, but issuers' response may have been disproportional to the impact,” says an executive summary of the survey, which also covers interchange pricing and other fees, rewards, and transaction growth. It follows a similar survey released in December 2005. The fraud results from the survey come in the wake of two breaches at major merchants in recent weeks that exposed a still untold number of accounts. Four suspects have been arrested in connection with PINs and other card data obtained from rigged PIN pads at stores operated by Stop & Shop Supermarket Cos., a Quincy, Mass.-based chain (Digital Transactions News, Feb. 27). And in January, TJX Cos. Inc., a Framingham, Mass.-based off-price retailer operating under multiple banners, reported a data-base intrusion that exposed information linked to credit and debit card accounts. Over the weekend, press reports said banks and credit unions in Maine are reissuing debit cards to tens of thousands of customers as a result of the TJX breach. TD Banknorth, a Portland-based banking company, is reissuing debit cards to as many as 200,000 cardholders in eight states, according to The Associated Press. Two weeks ago, TJX reported the intrusion was more extensive than it originally believed (Digital Transactions News, Feb. 21). Issuers in these and other cases of merchant breaches have complained of the costs they incur to reissue cards to protect customers. The Massachusetts legislature is considering a bill that would force merchants sustaining breaches to bear financial liability for fraud-related costs. But the Dove survey data would seem to indicate that by conducting mass card reissuance, issuers are imposing unnecessarily high costs on themselves. Considering that actual fraud occurs on less than 0.4% of cards issued by notified institutions?less than 5% of 8%–the fact that 54% of notified issuers automatically proceed with reissuance of compromised cards “seems excessive,” says Tony Hayes, a vice president at Boston-based Dove. Those that wait and reissue only those cards on which actual fraud is suspected, says Hayes, run the risk of incurring some fraud loss but avoid the costs of reissuing large numbers of cards. Estimates of debit card reissuance following a data breach run from $12 to $22 per card, including the cost of cardholder communication as well as the cost of postage and the plastic itself. To combat fraud, most large debit card issuers are now checking the card-verification values attached to transactions to verify the legitimacy of both PIN and signature-based point-of-sale transactions and most ATM transactions, the survey indicates. “Many smaller issuer just began checking [these values] this year, and are still implementing…checks for PIN transactions,” the summary says. Issuers have also started to use?or plan to?neural-network technology to score both PIN and signature transactions for probability of fraud. Overall, Dove estimates issuers' net losses to fraud jumped 21% from 2004 to 2005, reaching $662 million. Fraud on signature-based transactions rose 28%, to $247 million, while losses on PIN traffic increased 17%, to $415 million, though the bulk of the PIN losses?all but $21 million?occurred at ATMs. While most debit card fraud at the point of sale occurs on signature cards, PIN POS losses are rising fast, indeed more than doubling, when looked at relative to gross dollar volume, to 0.61 basis points from 2004 to 2005, according to Dove.