Managing Card Compromises – Not One Size for All by Jennifer Gardner
July 3, 2018
Jennifer Gardner , FIS | Senior Vice President, Credit/Debit/Fraud
It is a familiar story: a merchant database is attacked; an unknown number of cards are compromised and all cards are reissued. No one wins – the cardholders are inconvenienced and the card issuer pays the price – but the fraud, at least, is mitigated. Mass reissuance may be an effective strategy to combat fraud, but it is a very blunt instrument where huge numbers of cards are unnecessarily reissued, at considerable cost to the issuer and hassle to the customer.
It should not be a one-size-fits-all decision because every reissued card carries the potential to lose a customer or at least threaten top-of-wallet status. There needs be a smarter way to manage card compromises by pinpointing the cards that are genuinely at risk.
Card compromises are an inevitable fact of life. Like it or not, fraudsters are an existential threat that are only getting smarter and more sophisticated, resulting in an arms race with card issuers. The standard response to the rising number of data breaches is that the issuer detects real or potential fraud, notifies customers and then reissues the cards – but such an action can put spend rates at risk.
The fact that many banks and credit unions rush to reissue in order to prevent fraud, results in extra staff hours to answer members’ calls and can cost issuers over five dollars for each reissued card. However, only about five or 10 percent of cards whose data is exposed in a breach end up getting used in fraudulent transactions. The problem is, card issuers cannot determine the risk of each cardholder and, therefore, cannot decide on the severity of the situation – so should they reissue all cards or wait for suspicious activity and then act? Further compounding the problem is that by the time a compromise is noticed by the card network, the fraudulent activity has probably already been going on for months.
Issuer costs are not the only problem with unnecessarily reissuing a card; the process may lose the customer altogether. When a cardholder gets their reissued card, how likely are they to diligently update their card details on all the card-on-file services they use such as Netflix, Amazon, etc.? It’s likely that the cardholder will re-register with another card they have in their wallet. The reissuance also may impact the cardholder’s decision at the store point of sale (POS) too.
Any threat to top-of-wallet status is a potential loss in revenue, so how can card issuers address fraud risks, customer inconvenience and the public need for justice and security without reissuing all exposed cards?
Reactive Card Reissuance
What is needed is an early warning on potential fraudulent activity – a more precise way of scoring the risks to individual cardholders, before the network alert. Earlier detection can drastically reduce the scope and costs of breaches. Meanwhile, issuers having intelligence about data breaches and the exposed data allows them to set specific rules for the reissuance of individual cards rather than initiating a wholesale reissuance process.
The aim is that, with well-crafted rules, the rate of fraud on an individual card and the various cardholder scores can be rationally evaluated to trigger specific actions based on the true risk. Modern card-fraud management solutions can look for fraud over large data sets and can identify an affected card well before any alert comes out of the network itself, sometimes one or two months earlier.
Getting Intelligent Insight
With smarter fraud detection technology, issuers can look at the cardholder level to get a probability of the fraud risk. One cardholder may have suspicious activity that looks risky given the criteria and can be marked as a card that should be reissued. Meanwhile, a second cardholder may not have been impacted, but the service may mark them as needing further monitoring, but their risk level means that the card reissue can wait until more evidence comes forth. This results in more nuanced monitoring, with levels of severity aiding the decision to reissue.
All too often, issuers look at card fraud from a program level; if the card program is compromised then all cards are reissued irrespective of their risk individual risk. This not only wastes money, it inconveniences customers who were not impacted – typically around 80 percent. Better fraud detection technology gives issuers the power to be precise when determining which cards might need to be reissued in the wake of a compromise.
On the other hand, some issuers do nothing when fraud occurs as the cost to reissue is too great – so without the right technology or resources, they have no way of really knowing which cards to reissue without increasing their costs. This results in no action until cardholders validate fraud, which sometimes might be too late – fraudsters have already used the card’s information for malicious activity.
Getting the Balance Right
Issuers that take more care with reissuance save on direct reissuance costs, but also reduce the odds of longer-term losses. The critical component in smarter fraud management is the rules algorithm. That’s because, when rules miss a fraudulent transaction or flag a legitimate transaction, the financial institution and their cardholders pay the price. The rules determine what activity is considered potentially problematic, but it is vital not to overbuild the rules or there could be too many false declines in transaction results, meaning cardholders face rejections or are incorrectly marked as suspects.
When there is genuine fraud on a card, the cardholder might be a bit uneasy using the card again. The consumer might be obliged to pull out a different card. Conversely, if the card is reissued a few times, there may be some concerns about activation rates. Any impediment placed before cardholders – whether real or perceived – can increase the risk that consumers will lose trust in the card. Many consumers whose cards are denied due to suspected fraud that turns out to be false often end up abandoning those cards. In fact, two or more false declines can result in 20 percent of consumers not using a card again.
Fraud detection management technology that includes a wider range of analytical sources can make it easier for issuers to better protect their cardholders. Simply reissuing cards liberally after a data breach is costlier than waiting for suspicious activity to occur before reissuing. It is important to strike the right balance.