Competition has spawned technology and practices that have helped drive credit card fraud losses dramatically lower in the past decade. But big data breaches have a way of making the public see the entire payments industry as ineptly disorganized, and they highlight areas where cooperation and communication are needed.
MasterCard International's surprise announcement of the record-breaking CardSystems Solutions breach late on a Friday in June is the latest example. Issuers across the country were caught off-guard when journalists and cardholders suddenly started calling to ask about a massive data theft.
Some observers say MasterCard did the right thing notifying the public on June 17, the day after the card associations, Discover Financial Services and American Express Co. determined exactly which 40 million card accounts were compromised. Others say the announcement caused confusion for consumers and payments companies.
By mid-July several issuers reported they had cancelled and reissued debit and credit cards. But no leads on the crooks had been reported.
While throughout the year, companies and trade organizations hold seminars, work groups and conference calls to discuss ways to prevent and react to security breaches, MasterCard's unexpected announcement made clear that the payments industry does not have a single, coordinated approach to best face such a crisis. Indeed, the CardSystems breach, and a slew of others that received massive publicity this year, has politicians threatening legislation, while within the industry payments executives were angered by MasterCard's Friday-night surprise.
Robert Boxberger, executive vice president of risk operations for Providian Financial Corp., for example, does not believe he is asking too much to be informed of a breach before the Associated Press. "First and foremost we need to be notified before the public," he says. "We were notified by the media and by our customers, which is the wrong way to operate."
The black eye the breach gave the industry has made some executives involved in the investigation reluctant to discuss events for attribution. One issuer who was informed of the breach before the public said on condition of anonymity that MasterCard had sent an e-mail message on Friday morning that it would not disseminate news of the breach. MasterCard put out its press release later that day.
"I'm surprised (the announcement) was not coordinated better," the issuer says. "It's in everyone's best interest to know what is going on."
The breach itself was no surprise to insiders, as MasterCard and Visa quietly were aiding an FBI investigation for several weeks after MasterCard followed a trail of fraudulent transactions to CardSystems. The AP initially quoted Michael A. Brady, chief financial officer of the Atlanta-based processor, saying he was "blindsided" by MasterCard's announcement. Since then, CardSystems has followed a "no comment" policy.
Why MasterCard went public and Visa did not apparently reflects different company policies. A Visa spokesperson says it would have waited to give the FBI more time to investigate.
A MasterCard spokesperson says that the association sent an electronic alert that Friday through a dedicated network to its issuers to let them know which files to access to find out if any of their cardholders had been affected, as is company policy. "The timing was not ideal, but the member alert goes out as soon as we determine the account numbers involved," the spokesperson says.
MasterCard officials also believed they should announce the breach instead of wait until after news of the breach was leaked to the media.
The crossed signals did not help with a public that has heard about at least nine major losses or thefts of consumer data this year.
At least the means of security alerts have improved. Just five years ago issuers received only phone calls and next-day airmails of floppy disks in a breach at merchant Egghead.com, recalls Boxberger. It was one of the first widely publicized breaches, and the industry learned that both hackers and the media were threats that had to be treated carefully.
"We began to realize that it was relatively easy for a hacker to access the data," Boxberger said. "More importantly, when the media gets involved and consumers are made aware of the compromises, it really undermines consumer confidence in the payment system."
Data security and fraud prevention are topics on which even the toughest card competitors can agree. AmEx, Discover, JCB Co. Ltd., MasterCard and Visa worked together to develop the Payment Card Industry (PCI) consumer data security standard that merchants, processors and other vendors must follow.
There is also the casual exchange of ideas at fraud-prevention seminars and work groups sponsored by individual card associations, processors and other vendors for their members and customers. And many competing issuers talk frequently among themselves, Boxberger says.
However, the lack of a broad fraud-fighting effort may mean the industry loses the opportunity to educate cardholders on the primary reasons for card fraud: old-fashioned theft from wallets and other low-budget trickery.
Financial services consultant Javelin Strategy & Research reported in January that among identification-theft victims that knew how their identity had been stolen, 28% reported it was caused by theft or loss of their wallet, checkbook or credit card (see chart, page 36).
Nearly 12% said the crooks got their card number during a transaction, while about 11% said an employee accessed their information. Only 2.3% said they knew they lost their card information because of a computer hack, according to Javelin.
Companies may be competitors, but they must do a better job in working together to share information when combating fraud and when responding to data-security breaches, says Patricia A Hewitt, vice president of credit processing services at Fiserv Inc., a Milwaukee-based transaction processor.
Issuers selling their acquiring businesses over the past decade to third-party processors helped create holes in data security, Hewitt says. This decoupling has hampered what issuers can do to protect their card and customer data, she says.
"At some point, I do believe we need to come together as issuers, acquirers and processors to figure out how to protect the data," Hewitt says. "It's important for the industry to come together before the regulators step in."
One organization that was formed to coordinate industry communication to address fraud is BITS, a nonprofit consortium of the Financial Services Roundtable, the lobbying organization whose members include executives at the nation's largest financial institutions.
BITS organized a conference call with 40 issuers the Monday morning after MasterCard's Friday night press release. BITS focuses on security and risk assessment, crisis management, fraud reduction and ID-theft prevention.
"Fraud reduction and security are not competitive issues," says Cheryl Charles, BITS senior director. "Some of what we do is develop best practices and share them broadly."
BITS has convened meetings and conference calls when crises such as the Sept. 11 terrorist attacks or the latest large data breach occur. "If there's an issue that erupts that requires a quick response, we can move nimbly and effectively," Charles says. During a call, members establish the facts on an event, share how institutions are reacting and conclude with ideas for collective action.
BITS and the Roundtable established the national Identity Theft Assistance Center in Washington, D.C., opening it as a free service for ID-theft victims in August 2004. Center staff review credit reports with victims to look for other suspicious activities. The center then notifies affected creditors and sends fraud alerts to credit bureaus.
In July, the center announced that it also would share criminal information it discovers with the Federal Trade Commission, which will pass it on to law-enforcement agencies around the country.
AmEx, Discover, MasterCard and Visa declined to discuss specifically how they were working together to address the CardSystems breach and ongoing security and related legislative issues. Spokespersons said the ongoing investigation meant they could not talk about the issue.
However much or little the card companies now are talking to each other, legislators are talking plenty about them. The number of security breaches and their apparent breadth have elected officials vying to pass legislation to address complaints from constituents across ideological boundaries.
By Independence Day this year, the proposals were coming fast and furious. "There's been more in three months than in the previous five years," says a Visa spokesperson (see sidebar, page 34).
Vendors are stepping up to provide broader communications, though their motives are primarily commercial and only for their own customers.
Online security systems vendor Cyota has built a fraud-fighting center of sorts where it pools transaction data from 40 large issuers worldwide and about 3,000 small- and mid-sized U.S.-based issuers. The year-old system operates 24/7, looking for transactions that contain fraud patterns.
It also scans 1 billion e-mails looking for phishing and other threats. Cyota also is connected to Internet providers America Online, Earthlink and major spam fighters, says Naftali Bennett, Cyota's CEO.
The system is designed to search out, deflect and stop online fraud before and after it occurs, but it is not intended to be an industrywide response to security breaches, Bennett said. "There's no one war room that coordinates all the banks, security firms and law enforcement," he says.
Creating an industrywide, centralized system sounds intriguing but may not be realistic. "A consortium approach becomes slow," Bennett says. "It's hard to get things done quickly."
Ted Crooks, vice president of global fraud solutions at Fair Isaac Corp., the Minneapolis-based firm best known for inventing the FICO credit score and neural-network products, believes a centralized system is feasible. He is seeking to create the National Joint Identity Theft Center at Los Alamos Laboratories in New Mexico. Financial institutions nationwide voluntarily would send data to the center about fraudulent transactions as they occur.
Scientists would use technology similar to existing neural networks to scan for similarities between fraudulent transactions. Law enforcement would track the similarities to locate criminals and crime rings.
Crooks says that while financial institutions have adopted increasingly sophisticated automated antifraud systems, they do not report much of it to law-enforcement agencies. When they do, it often is long after the fraud occurred.
And most law-enforcement agencies do not have the technology or training to analyze masses of digital data necessary to catch sophisticated card-fraud criminals. "In ID theft, when fraudsters get a good method, they don't change it. That is the key for us to be able to find the group doing it because they're redundant in their behavior," Crooks says. "We may not know where the fraudsters live, but we know that they always use this merchant or this gas station. We're talking about taking that and increasing it 1,000 times."
System Proposal
Fair Isaac proposes to develop the system, but once established it would be a government, not private, venture and would collect only the information necessary to analyze fraudulent transactions, Crooks says.
Fair Isaac submitted a proposed $500,000 feasibility study a year ago for the center to the FBI, one of the agencies to oversee it. But funding has not come through.
Now is the time for all players in the payments industry to support more cooperative fraud-fighting efforts, says Crooks. "As Congress gets more involved in these issues, we're a lot better off as an industry if we become proactive and suggest ways to improve the situation," he says.
For better or worse, the pieces finally may be falling in place for industry coordination. Consumers are worried, Congress is mad, the crooks are savvy and the media is buzzing. If not now, when?
(c) 2005 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
http://www.cardforum.com http://www.sourcemedia.com
Failure to Communicate
August 01, 2005, 11:15 a.m. EDT 10 Min Read
