Compliance Matters

Preparing for the Next Merchant Data Breach

Turn members into fraud-fighting allies, and solidify your CU’s defenses.

April 1, 2014
Large-scale data breaches at major retailers such as Target, Neiman Marcus, and Michaels craft stores have dominated the headlines since December.
Cyberthieves have become adept at obtaining consumer card data by injecting malicious software (“malware”) into retailers’ point-of-sale (POS) systems.
Once installed, the malware allows thieves to systematically capture magnetic stripe data on each credit/debit card used at the merchant’s POS terminals. Data includes the cardholder’s name, card number, expiration date, and card verification value (CVV) or card verification code (CVC). Th?e hacker tracks the data to other criminals, who use it to create fraudulent credit and debit cards.
Many card issuers have sustained significant financial losses as a result. With the increase in POS malware infections, credit unions should consider these tips as we brace ourselves for the next round of merchant data breaches.
Notifying affected members
NCUA’s Part 748, Appendix B—“Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice”—requires credit unions to notify affected members and regulators only when an incident of unauthorized access to member data involves member information systems a credit union or its contracted service provider(s) maintains.
So, a merchant’s data breach does not trigger a Part 748 member notification. Nevertheless, notifying any affected members is a good way to protect the member and the credit union from fraudulent card usage.
Many credit unions provide notification via postal mail, email, and website announcements.
Credit unions should be aware most states have data breach notification laws. The National Conference of State Legislatures maintains a list of these state laws on its website.
Credit unions can contact their state league for more information on state requirements.
Educating your members
Educating members about protecting their accounts and identity from the is a critical loss prevention strategy. Members should:
  • Regularly review account activity for unauthorized charges or debits. Members who have online or mobile access to their accounts should check their transactions as frequently as possible following a data breach. Those who receive paper statements should open them upon receipt and review them closely.
  • Immediately report any unauthorized transactions to the credit union, no matter how small the dollar amount involved. Thieves often process a small debit or charge against an account to determine whether they have a valid card number. If the smaller dollar amount is approved, they’ll return for more. Fraudulent transactions can occur many months after a card data breach.
  • Monitor credit reports and consider placing an initial fraud alert with credit bureaus to prevent identity theft. Members also can visit the Federal Trade Commission’s identity the information website.
  • Guard against “phishing” fraud, i.e., fraudsters “fishing” for confidential information. Members shouldn’t respond to any email, text message, or phone call asking for verification of card information, including their account number, personal identification number (PIN), or other confidential data.
For more information, visit the Consumer Financial Protection Bureau’s website. Read the Jan. 27, 2014, blog post titled, “Four steps you can take if you think your credit or debit card data was hacked.” The accompanying consumer advisory—“Watch accounts closely when account data is hacked and report suspicious charges"—is also useful.
Risk mitigation tips
To mitigate card fraud resulting from a data breach, CUNA Mutual Group advises credit unions to consider:
  • Reviewing the card associations’ alerts daily and taking action when necessary.
  • Evaluating compromised card numbers to determine the level of fraud exposure.
  • Determining which cards contained in the alerts remain active (open).
  • Using name matching for Track 1 data, which carries the cardholder’s name on the magnetic stripe.
  • Blocking and reissuing affected cards, or accelerating card expiration dates on active cards that will expire in the next 30 to 180 days.
  • Reviewing fraud patterns and reporting any common point-ofpurchase location to the card associations.
  • Confirming the card association’s available dispute action on the compromised cards, as well as any time frames.
  • Ensuring all fraud associated with an event has been reported to the card associations and to the credit union’s insurance company.
  • Working with a fraud monitoring system vendor to create rules and strategies to prevent future fraud on the compromised card accounts.
CUNA Mutual Group policyholders can visit the company’s Protection Resource Center for additional risk alerts and more detailed guidance
on payment card risk mitigation.
Next steps?

Congress introduced several bills in January following the Target breach, including the Data Security and Breach Notification Act of 2014 and the Data Security Act of 2014. Both bills would require companies to adopt enhanced security standards to better protect sensitive information, and to notify affected consumers in the event of a data breach. The bills seek to provide a national standard to replace the patchwork of state laws governing data breach notification.
CUNA has lobbied for several years for federal legislation requiring merchants to reimburse financial institutions for costs incurred when a data breach occurs in a retailer’s POS systems. ?ese costs include reissuing affected cards, additional sta?ng, overtime pay, administrative costs, and the actual fraud losses.
Based on 1,112 responses to CUNA's Target Breach Survey, representing between 33% and 40% of credit union debit and credit cards, credit unions incurred estimated costs of $30.6 million as of Feb. 10, 2014. That figure doesn't include fraud losses. As this article went to press, CUNA was scheduled to brief the House Financial Services Committee on this issue.
The other “next step” might be replacing the magnetic stripe on payment cards in the U.S. with EMV (Europay, MasterCard, Visa) microchip technology, already common in Europe.
Experts regard magnetic stripes “fraud-prone” because thieves can easily duplicate the cards or steal data from them.
According to the card associations, chip technology is more secure, uses stronger authentication (chip + PIN), and the card’s microchip is difficult to duplicate. This transition will be lengthy and expensive for both card issuers (who must reissue payment cards) and merchants (who must upgrade POS terminals to accept these cards). Still, the recent wave of payment card data breaches might accelerate the interest in EMV adoption in the U.S.
VALERIE Y. MOSS is CUNA’s senior director of compliance analysis. Contact CUNA’s compliance department at