MasterCard Inc. on March 8 announced new fraud-fighting technology that could alleviate the headaches issuing banks face when card accounts have been compromised.
The technology, called Expert Monitoring Compromised Account Service, is available from MasterCard to its issuing banks. It uses analytic tools to determine the likelihood a card account will be compromised following a data breach, allowing banks to make more targeted decisions about account closures.
Industry experts say the technology is unique, and that it is likely to help issuers reduce the costs associated with account closures by reissuing only the cards most at risk. They say it was also likely to help issuers fight attrition of customers who decide not to use a card after it has been targeted.
One analyst, however, called the product a lopsided solution for issuers who blend their portfolios with other card brands.
“For some banks that issue MasterCard cards, this is a wonderful solution,” says Brian Riley, a senior research director for TowerGroup of Needham, Mass. “But when you have a blended portfolio with Visa and whatever else you issue, [banks] will have to contend with that.”
The product works in tandem with MasterCard Expert Monitoring Solutions, which compiles a fraud score at the time of transaction authorization. It works at the account level after a large compromise has been detected. The MasterCard product flags those accounts with the highest threat of fraud.
The service then issues a daily fraud threat score for the account, which is presented during transaction authorizations for the next two weeks.
To assess the likelihood the account will go bad, MasterCard factors in such things as merchant attributes, whether the card security code or magnetic stripe information have been stolen, and whether other customer information has been compromised.
MasterCard also will ascertain whether the card has been subject to multiple security breaches, creating a reference number for each of the related breaches so issuing banks can get a clearer picture of the dangers posed to the account.
“This is intended to provide our issuing banks with a comprehensive, real-time view of account compromise risk,” says Bruce Rutherford, MasterCard group head of fraud management solutions.
The costs of data breaches are high. Typically it costs between $3 and $5 to reissue each new card, says Julie Conroy McNelley, a senior risk and fraud analyst for Aite Group LLC in Boston. In the case of a large data breach, the costs can be enormous for the banks, which must also factor in the damage done to the brand, where costs can be difficult to calculate.
“The costs to do the reissue can really add up. … Then there is the question, does this card go to the back of wallet because the consumer perceives there is less security associated with it,” McNelley says.
Banks also risk losing customers after a data breach. It can cost banks $150 or more to attract a new customer, according to Javelin Strategy and Research in Pleasanton, Calif.
Javelin’s 2011 Identity Fraud Survey Report, released in February, found that the number of consumers who were victims of identity theft declined 27%, to 8.1 million, in 2010. At the same time, out-of-pocket costs to consumers for fraud rose 63%, to $631.
“Where I think MasterCard needs to focus more is taking fraud tools and putting them in customers’ hands,” says James Van Dyke, Javelin president.
Van Dyke says that 15% of the time, customers will leave a financial institution as a result of fraud.
Avivah Litan, a vice president and distinguished analyst at Gartner Inc. in Stamford, Conn., says the product likely would speed up the time it takes MasterCard and issuers to identify fraud, which is an important advance.
“The big problem for the issuer is, the card brands know about account compromises before the issuer,” Litan says. “Timeliness is the No. 1 factor.”
The largest issuers such as Bank of America Corp. and JPMorgan Chase & Co. could develop their own systems, but “MasterCard still has more data than any single issuer, and fraud models are built on volume and are more effective the more confirmed fraud you have,” Litan says.
The American Bankers Association believes the new product could be useful, particularly for smaller banks. “Such systems provide a much-needed tool, particularly for community banks that may be more prone to reissue cards,” says Doug Johnson, association vice president of risk management policy. “Pinpointing those accounts that are most vulnerable allows banks to surgically reissue cards, eliminating the inconvenience to customers of having to get a new card when the risk to their account is minimal.”
MasterCard says it analyzed fraud at one major U.S. issuing bank between April and September 2010. It found that after the bank’s use of MasterCard’s account compromise product, the issuer could have prevented 25% of compromised-account fraud by closing just 5% of associated cards. MasterCard would not release the name of the bank.
Visa Inc. says it has had similar technology, called Visa Advanced Authorization, for the past five years. It provides a Compromised Account Risk Condition Code, which includes information about risks associated with an account exposed to a data breach and provides event reference IDs upon authorization, specifying the associated breach to the account.
McNelley contends the MasterCard product is an improvement, however.
“The level of detail that [MasterCard] provides in the authorization message is a definite differentiator,” she says. “And the timing with which they are able to provide these analytics is quicker than what Visa is providing today.”
MasterCard’s predictive element, gauging the likelihood the account would go bad in the next two weeks, also is unusual, McNelley says.
Mark Nelsen, Visa senior business leader for fraud risk products, says prediction also is a component of the score Visa presents to issuers.
