MasterCard Inc. has announced new fraud-fighting technology that could alleviate the headaches issuing banks face when card accounts have been compromised.
The technology, called Expert Monitoring Compromised Account Service, is available from MasterCard to its issuing banks. It uses analytic tools to determine the likelihood a card account will be compromised following a data breach, allowing banks to make more targeted decisions about account closures.
Industry experts said the technology is unique, and that it is likely to help issuers reduce the costs associated with account closures by reissuing only the cards most at risk. They said it was also likely to help issuers fight attrition of customers who decide not to use a card after it has been targeted.
One analyst, however, called the product a lopsided solution for issuers who blend their portfolios with other card brands.
"For some banks that issue MasterCard cards, this is a wonderful solution," said Brian Riley, a senior research director for TowerGroup of Needham, Mass. "But when you have a blended portfolio with Visa and whatever else you issue, [banks] will have to contend with that."
The product works in tandem with MasterCard Expert Monitoring Solutions, which compiles a fraud score at the time of transaction authorization. It works at the account level after a large compromise has been detected. The MasterCard product flags those accounts with the highest threat of fraud.
The service then issues a daily fraud threat score for the account, which is presented during transaction authorizations for the next two weeks.
In order to assess the likelihood the account will go bad, MasterCard factors in such things as merchant attributes, whether the card security code or magnetic stripe information have been stolen, and whether other customer information has been compromised.
MasterCard also will ascertain whether the card has been subject to multiple security breaches, creating a reference number for each of the related breaches so issuing banks can get a clearer picture of the dangers posed to the account.
"This is intended to provide our issuing banks with a comprehensive, real-time view of account compromise risk," said Bruce Rutherford, group head of fraud management solutions for MasterCard.
The costs of data breaches are high. Typically it costs between $3 and $5 to reissue each new card, said Julie Conroy McNelley, a senior risk and fraud analyst for Aite Group LLC in Boston. In the case of a large data breach, the costs can be enormous for the banks, which must also factor in the damage done to the brand, where costs can be difficult to calculate.
"The costs to do the reissue can really add up. … Then there is the question, does this card go to the back of wallet because the consumer perceives there is less security associated with it," McNelley said.
Banks also risk losing customers after a data breach. It can cost banks $150 or more to attract a new customer, according to Javelin Strategy and Research in Pleasanton, Calif.
Javelin's 2011 Identity Fraud Survey Report, released in February, found that the number of consumers who were victims of identity theft declined 27%, to 8.1 million, in 2010. At the same time, out-of-pocket costs to consumers for fraud rose 63%, to $631.
"Where I think MasterCard needs to focus more is taking fraud tools and putting them in customers' hands," James Van Dyke, Javelin's president, said.
Van Dyke said that 15% of the time, customers will leave a financial institution as a result of fraud.
Avivah Litan, a vice president and distinguished analyst at Gartner Inc. in Stamford, Conn., said the product would likely speed up the time it took MasterCard and the issuers to identify fraud, which is an important advance.
"The big problem for the issuer is, the card brands know about account compromises before the issuer," Litan said. "Timeliness is the No. 1 factor."
While the largest issuers such as Bank of America and JPMorgan Chase could develop their own systems, "MasterCard still has more data than any single issuer, and fraud models are built on volume and are more effective the more confirmed fraud you have," Litan said.
The American Bankers Association said it thought the new product would be useful, particularly for smaller banks.
"Such systems provide a much-needed tool, particularly for community banks that may be more prone to reissue cards," said Doug Johnson, vice president of risk management policy for the ABA.
"Pinpointing those accounts that are most vulnerable allows banks to surgically reissue cards, eliminating the inconvenience to customers of having to get a new card when the risk to their account is minimal," Johnson said.
MasterCard said it analyzed fraud at one major U.S. issuing bank between April and September 2010. It found that after the bank's use of MasterCard's account compromise product, the issuer could have prevented 25% of compromised-account fraud by closing just 5% of associated cards. MasterCard would not release the name of the bank.
Visa Inc. said it has had similar technology, called Visa Advanced Authorization, for the past five years. It provides a Compromised Account Risk Condition Code, which includes information about risks associated with an account that has been exposed to a data breach and provides event reference IDs upon authorization, specifying which breach the account has been associated with.
McNelley said she thought the MasterCard product was an improvement, however. "The level of detail that [Mastercard] provides in the authorization message is a definite differentiator," she said. "And the timing with which they are able to provide these analytics is quicker than what Visa is providing today." McNelley also said MasterCard's predictive element, gauging the likelihood the account would go bad in the next 2 weeks, was also unique.
Mark Nelsen, senior business leader for fraud risk products at Visa, said prediction is a component of the score Visa presents to issuers.
