Card Security: Tighten Current Standards Prior to Innovating
Card security and the need to better protect against fraud have gripped headlines since the Target breach. The ensuing aftermath of finger-pointing and lawsuits over who is responsible for the massive losses continues. The costs have run deep from card reissuance, to credit monitoring services and additional customer service staff to handle the sheer volume of calls and complaints. Most important perhaps, is the loss of consumer trust.
Things are clearly broken and the magnitude of this incident demands greater protections, including a renewed look at EMV technology. Even the government is getting involved—Senator Patrick Leahy (D-Vt.) has reintroduced the Personal Data Privacy and Security Act, a bill he first sponsored in 2005, that would create new rules for data breach notification and securing customers’ personal information. Additionally, the Obama administration has established voluntary guidelines for banks and other companies to raise their cybersecurity standards. Before the industry (or the government) makes any major changes, I’d argue there are significant gaps in the most basic fraud prevention efforts.
There are numerous opportunities for fraudsters to attack our payments system—antiquated card technology, retail vulnerabilities, vendor security, phishing schemes and carelessness on behalf of consumers. Responsibility falls on card issuers, retailers and consumers alike. Without everyone doing their part to ensure security, things will inevitably go wrong. Allow me to share a personal use case that exhibits how safeguards already in place aren’t working as effectively as they should.
Many card companies offer a security feature that allows customers to set automatic alerts for unusually large transactions, international charges, cash advances, etc. to protect themselves from fraud. When any of these occur an email or text message is sent to the card holder immediately. Recently I received such an alert for a transaction made over $500 on one of my cards from a leading issuer. I called right away to notify them that the charge was not mine. The issuer’s response was to “wait and see” if the charge would go through. A day later, after thousands of dollars in fraudulent transactions had posted to my account, the card was finally cancelled. The account monitoring system in place worked perfectly, but the card company didn’t take immediate action.
While I was off the hook for the charges, someone had to pay. I’m speculating here, but perhaps the card company was attempting to provide good customer service by not cancelling my card knowing they could push the losses back to the merchant as charge backs. Good customer service doesn’t equate to having to make several phone calls to remove charges that occurred after I had notified my issuer that my card had been compromised. An effective fraud prevention system doesn’t “wait and see” because the company isn’t responsible for the losses.
Flash forward to receiving my replacement card. An attempt to activate the new card online was unsuccessful because I didn’t know my pin number. A phone call to customer service resulted in an automated system with the same request; enter your four-digit pin. After entering a few random numbers without success, I pressed “0” thinking perhaps a real person could help me reset my unknown pin. What happened next stunned me. An automated message stated that my card had been activated and was available for use. I expected the numerous failed attempts to flag me as a potential hacker and transfer me to a customer service representative to provide further information, such as the name of my first pet. I’m not aware of any secure computer system that allows you to enter numerous incorrect passwords without eventually prompting some form of security intervention.
Speculating again, maybe the card company recognized my phone number so they didn’t think further validation was necessary. If the customer doesn’t know the rationale for decisions happening behind the scenes, that doesn’t create trust or a sense of security. Common sense tells me that security parameters should be even tighter following a breach of sensitive information of this magnitude. Understandably, too much transparency by card issuers regarding their protocol leaves the door wide open for fraudsters but perhaps there is some middle ground.
Card security is on the hot seat and “Where do we go from here?” is going to remain a prominent question for some time. If security measures such as automatic alerts for unusually large transactions and criterion for new card activation aren’t even being utilized effectively, I don’t see how investing billions in new technology or creating more legislation is a long-term resolution to where we are today. There are promising innovations on the horizon that will complicate fraudsters’ ability to find the loose bricks and penetrate, but the industry must be vigilant about tightening current standards before adopting something entirely new.