How Issuers Should Recover After a Data Breach

News of a data breach at Home Depot stores throughout the U.S. and Canada is compounding fears on the part of card holders that “big box” and other retailers can do little to protect them from credit and debit card fraud.

While the scope of the theft remains yet to be determined, initial estimates exceed similar breaches at Michael’s and Target stores in April, 2014 and December, 2013, respectively. While individual financial institutions can do little to prevent card theft, making plans now on how to protect customers when disaster strikes helps mitigate exposure, and prevent loss and inconvenience for the customer.

EnableSoft surveyed nearly 500 banks and credit unions and identified five common actions they take before a data theft strikes in order to better protect card holders.

First, proactive banks query customer accounts for potential trouble purchases. After a bank has been notified of a suspected breach by their card association, financial institutions typically wait for the Compromised Account Management System (CAMS) alert containing cards thoughts to be in jeopardy. Unfortunately, the time between the breach and notice delivery can be weeks. After a breach is identified, proactive banks scan customer accounts for any transaction at the retailer(s) in question, during the time period in question, and flag them. The safest course of action once a transaction is flagged is to cancel the card and issue a new one promptly. Customers rarely mind their card issuer taking above-and-beyond measures to protect their interests.

 A second step is adjusting spending limits early to reduce liability. If an immediate cancellation is not possible, reducing customers’ spending limits can help mitigate loss and still permit some spending activity until a new card arrives. When StonehamBank learned it had as many as 900 cards stolen in last year’s Target breach, they lowered PIN purchase transaction limits to $1,500 from $3,500 and set signature transaction limits to $0. The action allowed card holders to make relatively secure transactions while protecting them from loss due to easily-forged signatures. “A big key for us was managing the change in card status and the change in card limits.” said Rule Loving, StonehamBank’s Assistant Vice President of Operations Systems. “We had a plan in place, and the right technology, to execute quickly and protect customers.”

Once spending limits have been reduced, compromised cards need to be flagged as such and then cancelled. While most card issuance applications allow banks to add this designation, the issue at hand becomes a question of “how”: How will the bank physically navigate thousands of accounts and add a “hot card” status to each one? For most financial institutions, the manual effort needed to search and flag compromised account can drain resources from other areas like customer service.

The best card issuers get new cards to customers soon after a breach is discovered. A bank’s pre-breach plan should include strategies on how to issue new cards to customers at different levels of compromise (e.g. 1 card compromised, 1,000 cards, all cards, etc.). As with hot carding, a bank’s plan should detail precisely who will manage the card reissuance process, and how it will actually be accomplished at varying levels of risk. For example, with 500 compromised cards, a bank may choose to simply reissue cards by hand. At 1,000 cards, however, the amount of data may become too onerous and so, outsourcing to a core or other solution may be considered.

Finally, keeping card holders happy means keeping them in the loop. Proactive banks keep customers informed of, and during, each step of the recovery, including sending e-mails and letters, and adding notes to their account so that CSR and call center reps can update the customer should they need to speak to one. Although retailers shoulder much of the blame for large data thefts, banks often receive unwarranted scorn from customers who felt they should have been better protected. The bank that is able to initiate contact with a customer about a breach, and even reissue cards before the news goes public, can virtually eliminate any ill will or bad press that might occur as a result.

In developing a plan to execute each of these steps, proactive banks should consider how resources will be allocated to accomplish them. In many cases, pulling staff from critical areas of the bank, or bringing in a team over one or more weekends, is the only solution. A good plan details exactly who will perform each task, and for how long. Core system providers or other third-parties can offer turnkey support during and after a card breach. Other solutions include automation software like Foxtrot from EnableSoft, which can licensed and programmed to execute each of these steps well before a breach, so responding to data theft is often a matter of a simple mouse click.

Richard Milam founded EnableSoft in 1995 and serves as the President and CEO.