MOUNTAIN VIEW, Calif. — The Target Corp. data breach, estimated to have cost credit unions at least $30 million so far, is doing much more than lightening CUs' wallets — it's changing the way they approach fraud prevention and increasing attention on EMV.
The massive data compromise that has affected nearly one in four Americans is also changing the mindset of consumers and FIs, analysts say, raising their focus on data security and cybercrime.
That is leading CUs to adjust fraud-fighting tactics — with greater numbers moving to real-time monitoring and others opting for tighter and more personalized detection rules. Target's problem has also turned attention to different card products and features, such as instant-issue, smartphone control of a card's limits and usage, and prepaid as a means to limit fraud exposure.
But the biggest impact, industry insiders say, has been increasing credit unions' interest in migrating the card base to EMV. In a previous report (CU Journal, Jan. 13) analysts predicted the Target breach would step up credit unions' plans to convert to EMV, even though chip cards would not have prevented the Target compromise.
Now, a growing number of credit unions see EMV as necessary in the U.S., not only to discourage criminals but also to protect member data.
"We have decided to begin the issuance process for EMV," said Kathy Coonan, director of EFT services at the $6.5 billion First Tech FCU in Mountain View, Calif., who noted the CU had planned for EMV conversion before the Target data theft. "We think it is important for everyone in the industry to get on board with EMV as soon as possible."
This year at least three CUs have decided to convert their cardholders to EMV — the $2.3 billion-asset Affinity CU, Basking Ridge, N.J.; $200 million Firefighters Community CU in Cleveland; and $2.6 billion Virginia CU in North Chesterfield, Va.
EMV Call Goes Out
Late last month CSCU in Tampa, Fla., called for its member credit unions to begin issuing EMV to cardholders as soon as possible.
CSCU President Robert Hackney said credit unions reacted immediately to the request. "The first day we issued the news release we got 10 calls from credit unions saying they want to start reissuing with EMV."
Hackney said the purpose of CSCU's request is to put a stake in the ground and persuade credit unions without plans to migrate to EMV to "get serious about this. Because it will be a three-year process if you just go with reissuing as cards expire."
Julie Conroy, research director, retail banking, for the Aite Group in Boston, credits Target's public relations efforts following the breach for much of the EMV movement.
"In one of the more masterful PR jobs I have seen, Target deftly refocused the breach story from analysis of its own data security shortcomings to a broader industry problem. They turned the conversation to EMV, and now we have the Congressional hearings," Conroy said.
Prior to the Target compromise, EMV migration among FIs had slowed significantly, according to Conroy, due in part to U.S. District Judge Richard Leon's decision last year to strike down the new limits on swipe fees and the routing provisions under the Durbin rules, clouding the future of debit interchange rules.
"But now financial institutions are getting re-energized," said Conroy. "One credit union I recently spoke with said, 'We don't want Congress to mandate EMV, so we are now moving full speed ahead.'"
What, too, may be tipping CUs toward converting the card base is all the media attention and discussions about data security, handing management ammunition to approach boards to spend money on EMV, said Brian Scott, VP of sales at The Members Group in Des Moines, Iowa.
"There has been foot dragging," said Scott. "Target was the push many CEOs needed to go to their boards and say, 'I want to spend $ 50,000 to reissue the card base to EMV.' That would have been a tough discussion before Target."
Scott believes members, as well, are more receptive now to a chip card. "People are more of the mindset that the change will offer greater security and are OK with getting a new card."
'Real Pressure' On Visa & MasterCard
But it will likely take more than just receptive boards and members driving what many experts say could become a fast-growing wave of financial institutions converting to EMV. During CUNA's Governmental Affairs Conference in Washington last month, Stan Hollen, president and CEO of CO-OP Financial Services, Rancho Cucamonga, Calif., told Credit Union Journal that the Target breach has put "real" pressure on Visa and MasterCard to cooperate with the debit networks to devise a common debit routing solution, an issue that has slowed EMV migration, especially with debit.
Days later CO-OP announced that two of its business partners — Visa and First Data (STAR Network) — agreed to share Visa's common debit solution offering issuers, acquirers and merchants an approach for debit EMV chip adoption.
Getting retailers on board, reminded Ted Bilke, will have to happen as well. But the president of San Diego-based Symitar contends that as more credit unions convert to EMV, the retailers will follow with EMV-enabled POS terminals.
"We have to reach a tipping point," offered Bilke. "As more FIs issue chip cards we will see momentum build and pressure applied to merchants because of the October 2015 [Visa and MasterCard] deadline for the shift in fraud liability. I think this could happen very fast."
With all the media attention on the Target compromise, and data breaches in general, Bilke said credit unions are scared about what they are hearing but "horrified by what they don't know — the other breaches that are coming."
He said CUs are quickly realizing that blocking and reissuing can be a costly strategy during a period in which several breaches occur. He agreed that chip cards, when widely adopted in the U.S., will take the fraudsters' bulls-eye off this country's back.
"The real solution, which credit unions are paying more attention to, is improving fraud monitoring and reaction to potential fraudulent transactions," said Bilke, who like others said Target has been a "wake-up call. We see much more active fraud monitoring, more proactive alerts to members of transactions above a certain threshold... But there is no silver bullet, it takes a collection of efforts, on the part of the credit union, to effectively fight growing fraud."
Bilke said that many large credit unions that use Symitar's Episys core system have turned to real-time fraud monitoring, which many smaller shops have been slow to do. "However, we are now seeing the smaller credit unions moving aggressively toward real-time."
Fiserv, Brookfield, Wis., also has seen growing attention this year to real-time blocking of suspected fraudulent transactions, including from smaller credit unions. "They realize, in this environment, that they can't wait for the next breach to hit to argue for real-time blocking," said Patrick Davie, general manager of Fiserv risk. "Many are presenting their cases to their boards now."
Davie said credit unions, in increasing numbers, are partnering with Fiserv's Risk Office, a team of risk analysts that support about 900 FIs nationally. The team partners with banks and credit unions to devise customized fraud strategies and detection rules based on member behavior, geographic data and more. The team also serves as a central data pool, talking to FIs about the fraudulent activity they are seeing and combining that knowledge with what the risk analysts are seeing as well.
"Collaboration is a powerful tool to fight fraud," said Davie.
Members, too, are taking an active interest in fighting fraud post-Target breach, said TMG's Scott. CUs are stepping up to offer technology that allows cardholders to remotely control their plastic with their smartphone — such as setting purchase limits and spending preferences and turning the card on and off — and members are signing up.
Scott pointed out that a community bank customer of TMG recently offered the remote technology to its customers and 70% of those already enrolled in home banking took the service and actively use it. "This shows consumers are willing to play an active role in fighting fraud."
Prepaid As Fraud-Fighter
Prepaid cards have become an attractive fraud-fighting option among credit union members, added Scott. "Consumers understand they can only lose so much if a prepaid card is compromised, and if the card gets hacked people don't feel as if they have been hacked since their personal data is not attached to the card."
CSCU's Hackney has noticed that following the Target compromise more credit unions are opting to pay their processor to set limits on total losses from a breach. "Essentially, they are transferring the risk to the processor."
And that risk is growing, credit unions say, with the number of breaches apparently increasing along with the speed at which crooks use the compromised data. That is forcing CUs, like the $371 million Global CU in Spokane, Wash., to pay close attention to its blocking and reissuing strategies.
Card Services Manager Keri Buntain acknowledges the credit union must walk a fine line these days between protecting members' accounts and providing excellent service. "There is a delicate balance between the risk rules you apply and then letting people conduct their normal card business," Buntain said.
Working with JHA Payments Processing Solutions in Seattle, GCU late last year moved to stricter but more customizable fraud rules that allowed tailoring rules to the individual member. That helped lower fraud losses after the Target breach, according to Buntain.
She explained that the credit union made the rule changes after fraud from a regional grocery store chain breach hit the CU harder than even Target losses.
"This is a difficult situation that is arising, with all the breaches," said Buntain. "The initial reaction to a data compromise has been to block and reissue. But doing a lot of that makes it hard for you to keep members loyal to you and your card, and to do things like set up recurring payments. It's becoming a fine line we have to walk, and it's not easy."
