5 steps to effectively recover from card breaches

EnableSoft surveyed nearly 500 financial institutions and identified five common actions they take before a data theft strikes in order to better protect card holders.

While individual financial institutions can do little to prevent card theft, making plans beforehand on how to protect customers when disaster strikes helps mitigate exposure, and prevent loss and inconvenience for the customer.

The five steps proactive banks take are:

1. Query customer accounts for potential trouble purchases. After a bank has been notified of a suspected breach by their card association, financial institutions typically wait for the Compromised Account Management System (CAMS) alert containing cards thought to be in jeopardy. Unfortunately, the time between the breach and notice delivery can be weeks.

After a breach is identified, proactive banks scan customer accounts for any transaction at the affected retailer(s) during the time period in question, and flag them. The safest course of action once a transaction is flagged is to cancel the card and issue a new one promptly. Customers rarely mind their card issuer taking above-and-beyond measures to protect their interests.

2. Adjust spending limits to reduce liability early on. If an immediate cancellation is not possible, reducing customers’ spending limits can help mitigate loss and still permit some spending activity until a new card arrives.

When Massachusetts-based StonehamBank learned they had as many as 900 cards stolen in last year’s Target breach, they lowered PIN purchase transaction limits to $1,500 from $3,500 and set signature transaction limits to $0. The action allowed card holders to make relatively secure transactions while protecting them from loss due to easily-forged signatures. “A big key for us was managing the change in card status and the change in card limits.” says Rule Loving, StonehamBank’s assistant vice president of operations systems. “We had a plan in place, and the right technology, to execute quickly and protect customers.”

3. Know how to “hot card” accounts. Once spending limits have been reduced, compromised cards need to be flagged as such and then cancelled.

While most card issuance applications allow banks to add this designation, the issue at hand becomes a question of “how”: How will the bank physically navigate thousands of accounts and add a “hot card” status to each one? For most financial institutions, the manual effort needed to search and flag compromised account can drain resources from other areas like customer service.

4. Get new cards to customers fast. The best card issuers get new cards to customers soon after a breach is discovered. A bank’s pre-breach plan should include strategies on how to issue new cards to customers at different levels of compromise (e.g. one card compromised, 1,000 cards, all cards, etc.).

As with hot carding, a bank’s plan should detail precisely who will manage the card reissuance process, and how it will actually be accomplished at varying levels of risk. For example, with 500 compromised cards, a bank may choose to simply reissue cards by hand. At 1,000 cards, however, the amount of data may become too onerous and so, outsourcing to a core or other solution may be considered.

5. Notify customers early and often. Keeping card holders happy means keeping them in the loop. Proactive banks keep customers informed of each step of the recovery, including sending e-mails and letters, and adding notes to their account so that customer service and call center representatives can update the customer should they need to speak to one.

Although retailers shoulder much of the blame for large data thefts, banks often receive unwarranted scorn from customers who felt they should have been better protected. The bank that is able to initiate contact with a customer about a breach, and even reissue cards before the news goes public, can virtually eliminate any ill will or bad press that might occur as a result.

Enablesoft provides software called Foxtrot that automates data conversions following bank or branch acquisitions, or “hot carding” and reissue after a breach.