A week ago Sunday at about 10:00 a.m., Jim Wells was on his way from church to a grandson's birthday party, when he popped into Target to pick up a gift. By the time he returned home from the party at about 3:30, there was a voicemail message on his machine from Citibank's fraud control department asking him to call because they thought there might have been fraud on his account.
The customer service rep read off several charges on his account that were suspect, including a 55-cent charge at a real estate company and a $1 transaction at another site. Only the Target purchase and a gas station charge were real. The rep said the bank believed Wells' card had been compromised, that the card would be canceled immediately and that the bank would send a new one. This was about four days before the Target breach hit the media.
"I was astounded," says Wells, who is president of Wellspring Consulting and not a fan of some large-bank practices. "I was pleasantly surprised."
But this anecdote is a lone success story in the sea of uncertainty that is the Target data breach, confirmed last Thursday, that left vulnerable the card account data of 40 million Target shoppers.
Many banks are taking more of a wait-and-see approach, asking customers to monitor their accounts, and using the banks' fraud analytics software to monitor transactions for signs of foul play, but not rushing to close accounts and reissue cards.
"A bank that is taking a wait-and-see approach is leaving itself open to not only having to make good on a lot of payments but having its cardholders worry," Wells says. "I think the wait-and-see approach is not customer friendly, which is not surprising given I don't think the big banks are customer friendly."
But the right solution is not clear-cut.
Citi's approach, of calling the customer and reissuing his card, is very expensive. "If you've had millions of cards in your portfolio compromised, how many calls can you make a day?" says Avivah Litan, vice president and distinguished analyst at Gartner. Card production facilities are limited in the number of new cards they can generate, in the range of 35,000 to 50,000 cards a day.
Chase's reaction to the breach on Saturday it announced it was limiting affected customers' use of their debit cards to $100 a day for ATM withdrawals and $300 for purchases was widely denounced.
"Chase's statement, said another way, is, we're doing this to protect us," Wells says. "When you get your statement and get the shock of your lifetime, call us and we'll do something."
On Monday, the bank stepped back, raised the limits to $250 per day for cash withdrawals and $1,000 per day for purchases, and apologized for the lowered limits on its website.
Most other large U.S. card issuers including Bank of America, Wells Fargo, U.S. Bank and PNC simply told their customers they were monitoring their accounts and to report any suspect transactions.
Is there anything banks could have done to prevent this breach?
Dozens of security software companies have contacted us to offer us their answer to this question. Each one, had we taken the bait, would have given us a thinly veiled sales pitch for their own technology.
But it's hard to say at this point that there's any one technology or even set of technologies that would have really helped. Target's investigation has not yet been completed and it's too early to say just how the hackers infiltrated the retailer's network.
"You put one block in, they'll find another opening," says Litan. "The typical thing people would say is, use point-to-point encryption. But then [the hackers] could have gotten to the data before it was encrypted."
Until specific technologies are standardized as part of PCI, there's little point for a retailer to invest in them they will get locked into a vendor's non-standard system, Litan says.
Some believe the real problem is systemic.
"The real question to be asked is, Why aren't Visa and MasterCard involved in establishing data security systems that make these breaches impossible?'" says Gary Olson, president and CEO of ESSA Bank and Trust in Stroudsburg, Penn.
"Can you imagine the cost of 40 million cards being reissued? Banks pay the freight and occasionally you can get reimbursed by Visa and MasterCard for some of the cost. Reissuing is a nightmare for the customers and banks and is not a long-term solution for this massive problem. The retailers need to go to another security level with their servers but no one seems to be responsible for making that happen."
Litan shares this big-picture view.