As the industry reels from the massive data breach Target announced Thursday, there's debate around the best way for banks to respond. The most obvious reaction would be to re-issue credit and debit cards to all customers who shop at the giant retailer. That way, although data thieves are already selling the card data on underground websites as fast as they can, those who buy that information would have little opportunity to use it and might even get caught.
Minneapolis-based Target says 40 million credit and debit card accounts may have been impacted between November 27 and December 15 of this year.
Large card issuers JPMorgan Chase, Bank of America, Wells Fargo and Citi have all told us they are monitoring accounts for suspicious activity and will notify customers when unusual behavior is detected. Bank of America also said in a statement, "If we believe the account is at risk for fraud, we will notify a customer and reissue the card." Other issuers have not yet responded to a request for comment.
Brian Krebs, the security blogger who first broke this data breach story, sees most card issuers taking a "wait and see" approach, due to the expense and inconvenience to all of canceling old cards and issuing new ones, and the major inconvenience to consumers during the biggest shopping season of the year.
"People still need their cards, so card companies are not looking to shut them all down," says Brian Riley, senior research director, CEB Tower Group. "Banks can mitigate the risk by torqueing up their fraud filters. There are sophisticated ways for card companies to box their way through this."
Large banks' fraud analytics systems should be enough to avert fraud without canceling cards, Riley says.
Card issuers will flag the accounts of customers that have shopped at Target and then use fraud mitigation software such as FICO Falcon to look out for unusual behavior at POS terminals and ATMs.
The card not present scenario is more of a challenge than fraud at the point of sale, Riley notes. For hackers, using stolen card data online is much simpler than shopping in a store with a card that's known to be compromised.
Small banks with less advanced fraud filters may need to reissue cards for their Target customers, however.
Riley believes Target-shopping consumers should be canceling their own cards. "What consumers need to be protect against is the surprise that happens when you're at dinner and you're paying with the one debit card in your pocket and finding there's a challenge," he says. "It's much better to be proactive than to wait for your card issuers."
Dave Fortney, senior vice president product development and management at The Clearing House, believes affected banks will have to re-issue breach-impacted cards.
"This has happened enough times that the card issuers have an established process for what to do in the event of a big data breach," he points out. The process includes adding staff, producing mass volumes of cards and mailing them out.
"If 40 million cards were impacted, that's a lot of cards that have to be produced, it certainly can't all be done overnight," Fortney says. "It will take some time." Especially since at this time of year the postal service and overnight services are already at maximum capacity.
"Banks will be working through the holidays, there will be people in the call centers who were not planning to be, working around the clock to do this as quickly as possible," he says.
Banks' card fraud analytics systems are sophisticated, Fortney agrees. "I've personally had things caught by those systems that I'm glad were caught someone had somehow gotten hold of my card number," he says.
But if a bank is certain someone's card was compromised, it's likely to reissue that card and perform fraud screening until the customer receives and registers the new card, Fortney says.
Customer service will be important to handling this data breach. "A lot of customers will be reading these stories, calling their banks, and asking about any suspicious activity," he says. "There's a huge emphasis on having call centers at maximum capacity."
Target will need to reissue its RedCards as well, he says. [The RedCard is Target's loyalty credit card, which can also be tied to a bank account and act as a debit card.] "I did notice on their website that they're telling customers, 'if you have a RedCard, don't call your bank, call us,'" he says.
Some consumers won't want use their bank cards or RedCard at Target out of fear.
Long-term, Fortney says tokenization is the way to prevent card account data breaches. The customer would receive a one-time use token with which to make purchases rather than a static account number. Some banks are considering this approach for mobile payments.
And while some have posited that this breach shows the need for more modern, digital currencies like Bitcoin, Fortney believes the current payments system has it all over digital currencies.
"Can you imagine if someone hacked into Bitcoin?" he muses. "Old world payments are 100% guaranteed. Who would you even call if your Bitcoin code went wacky and you just lost $1 million?"
Adam Williams, chief information security officer at Diebold, also thinks banks should send out new cards to affected customers.
"I'm a firm believer that when there's uncertainty you reissue," Williams says. His family has shopped at Target, and he has already cancelled his credit card. "I would prefer to go a couple of days with an inconvenience than wait around and see."
Banks can suspend RedCard activity to certain accounts on an interim basis to protect consumers' financials, he says.
He also agrees that this is a terrible time of year for that.
"There probably couldn't be a worse time of year," he says. "Especially for me, as I haven't done some of my Christmas shopping yet."