Plastic Card Fraud Poses Huge Threat to Credit Unions

Register now

It's a costly problem: More than $236 million in losses in the past three years, $100 million in 2005 alone.

And it's not going away anytime soon: Losses in 2006 are already ahead of last year's pace, and what's most troubling is that the worst may be yet to come.

It's the rising tide of plastic card fraud losses and it threatens to wash away the ability of credit unions to provide competitive card programs for their members.

Closing security breaches is CUNA Mutual's number one priority, but we can't do it alone. The criminal minds perpetrating acts of thievery on unsuspecting individuals and businesses are resilient, resourceful and relentless. It will take the power of credit union cooperation to find ways to prevent these losses and protect the viability of credit union plastic card programs.

While credit card fraud continues to grow, recent major breaches have also involved debit cards. The theft of debit and credit card information from databases retained in violation of card association rules at nationally known retailers, including BJ's Wholesale Club, DSW, Chipotle's and Polo Ralph Lauren, received wide spread publicity. Earlier this year, breaches at two additional major retailers resulted in hundreds of thousands of compromised accounts, resulting fraudulent transactions and the expense of blocking and reissuing of thousands of debit and credit cards.

The consequences are costly. When informed of the breaches, credit unions have scrambled to either closely monitor compromised card accounts for fraud, or cancel them and reissue new cards with new account numbers. Replacing plastic cards is a painstaking and expensive process costing institutions as much as $25 or more per card.

Increased losses may lead to a tarnished reputation. In addition to millions of dollars in expenses, card-issuing credit unions are left to address the questions, concerns, and fears of angry members. Even though card issuers are not responsible for the breaches, each one undermines the relationship a credit union has with its members. Relationships that have taken years to nurture can quickly sour when members are at risk of becoming fraud victims or having their identity stolen.

What Can Be Done?

CUNA Mutual has shared our concerns with the card associations about the recurring card compromises occurring at one retailer after another as a result of the associations' ineffectiveness in enforcing their own compliance rules. To further reinforce our concern, we are leading the litigation against BJ's Wholesale Club and Fifth Third Bank on behalf of almost 200 of our policyholder credit unions and CUMIS Insurance Society, Inc. to recover over $5 million in losses due to their negligence. Like so many other merchants, they retained the full-magnetic stripe data after the authentication of a transaction - a direct violation of card association rules. The case has now moved into the discovery phase.

CUNA Mutual has also worked closely with plastic card processors that support credit unions' card programs and encouraged them to more actively promote loss prevention services and tools, as well as develop and offer additional tools to help credit unions significantly reduce plastic card fraud losses.

We've extensively assessed the current and emerging causes of fraud losses and developed additional loss prevention training programs and tools to help our Credit Union Bond policyholders address this challenge. To increase credit union awareness of this major and growing threat, CUNA Mutual staff have appeared at conferences and forums coast-to-coast and urged credit unions to be ever diligent in taking every measure possible to reduce their exposure to plastic card fraud. These presentations will continue throughout 2006. Likewise, we will continue to sponsor Webinars, peer forums, and other events for policyholders to learn about best practices.

We've sent Credit Union Bond policyholders a Plastic Card Security Best Practices document that was developed based on our work with credit unions, card processors, and industry experts. We believe that implementing these security measures is one of the best ways credit unions can face this ongoing threat to the very existence of their plastic card program.

How You Can Fight Fraud

The Best Practices document offers extensive tips on effectively monitoring, and recovering fraud losses. Among them:

24/7 Review of Potentially Fraudulent Activity - This goes beyond simply having a fraud model or rules that "score" a transaction around the clock. 24/7 review means having a staff of trained fraud investigators in-house or provided by a third party who are able and empowered to review alerts and take action any time, day or night.

CVV (Visa(r)) and CVC (MasterCard(r)) Validation - If credit unions do not check CVV/CVC on PIN-debit transactions, members can be duped into providing their name, account number, expiration date and PIN number to the criminals - that's all they need to commit fraud.

CVV2/CVC2 - This three-digit code on the cardholder's signature panel is used to authenticate Internet, mail, telephone and key-entered transactions. These should be declined when a mismatch occurs.

Daily Limits - A criminal with access to a working card will spend every dime as quickly as possible. Enforcing daily limits is a critical measure that puts a lid on fraudulent activity. Debit card signature purchases should be limited to $1,500 per day and ATM activity should be limited to $510 per day. A daily limit of $10,000 should be set for credit cards.

Compliance/Recovery - Many credit unions aren't asserting their rights to recover fraudulent losses from merchants that improperly store card data and later suffer a compromise that puts member data in the hands of organized, high-tech crime rings. Increase pressure on merchants by holding them accountable for irresponsible data management.

Exact Cardholder Expiration Date - An expiration date mismatch should be set to decline for both swiped (magnetic stripe read) and manually-keyed transactions.

Card Activation - Use an effective activation procedure for all credit and debit card programs, such as PIN-driven or calling from a home phone.

Address Verification Service (AVS) -Support the AVS tool to allow mail, telephone order and Internet merchants to automatically match a cardholder's billing address to the shipping address.

The Credit Union Bond is underwritten by CUMIS Insurance Society, Inc., a member of CUNA Mutual Group, and provides coverage to more than 94% of all U.S. credit unions. We pioneered plastic card fraud coverage for our policyholders, and credit unions are among the few financial institutions that have this coverage today.

For the sake of credit union members everywhere, we must all do our part to help stem this rising tide of plastic card fraud.

Jeff Post is president and CEO of CUNA Mutual Group. For more information, call 800/637-2676 or visit

For reprint and licensing requests for this article, click here.