Not long ago, a mass reissuance of potentially compromised debit cards was considered industry best practice for banks and credit unions in the wake of a merchant data breach. While it may be a relatively easy way to stop fraud losses, frequent card reissuance comes with a cost to your financial institution, and it may inconvenience cardholders and erode loyalty. Requiring account holders to cut up compromised debit cards can diminish their faith in the security of their card, and by extension their faith in your financial institution.
If it seems like data breaches have become more commonplace, it’s because on the average day there are nearly five data breaches reported. The Identity Theft Resource Center reports that the number of U.S. data breaches in 2017 totaled 1,579, up 45 percent from 2016. According to Bank Information Security, nearly 20 percent of breaches resulted in debit and credit card data being exposed.
In an effort to reduce cardholder impact while also mitigating risk, more and more financial institutions are exploring and adopting a variety of strategies and solutions that make mass reissuance of cards an option of last resort. At PULSE, we have six suggested fraud-mitigation strategies that your institution would be wise to explore. These strategies can be implemented right now and don’t always require destroying compromised cards.
- Lower Daily Card Limits – This is a good initial step when attempting to minimize potential fraud exposure. Lower card limits can help you limit the exposure to a compromised card whether you are reissuing cards or not.
- Provide Options – It’s important to inform the cardholder and give them an alternative to getting a new card. Some customers love having the power to decide whether they need a new card or not. However, by still notifying the customer, you will get a large portion of cardholders coming in to get new cards. This will help you to reduce your risk exposure quickly. If cardholders decide that they want to leave their cards open, it is a good opportunity to promote anti-fraud tools that the financial institution provides, like alerts and the ability to approve purchases.
- Treat High-Risk Cards Differently – When you know a certain group of cards poses a higher risk for fraud, we recommend deploying card group rules for those cards. This enables you to treat the higher-risk cards differently, which means the rest of your debit card portfolio doesn’t face the inconvenience of tighter rules that can lead to a higher rate of false positives. To learn more about how rules can help your institution, talk to your PULSE representative about PULSE’s DebitProtect® Custom Authorization Blocking services.
- Notify Cardholders – High profile breaches, such as the Equifax breach last year, naturally attract more media coverage than others. Media coverage can heighten fears, so clear, consistent and timely communication to customers is essential to accurately explain the risks and what you are doing in response. Send customers a letter informing them that their debit card has been involved in a merchant breach. Spell out the other measures you are taking, such as lowering card limits or putting aggressive card group rules in place.
- Educate Cardholders – While nobody welcomes a merchant breach, these events can present a good learning opportunity for financial institution customers. Without getting into specifics that can provide insights for fraudsters, describe some of the fraud-prevention strategies your organization is undertaking and offer guidance regarding steps individual cardholders can take to protect themselves.
- Mobilize Account Holders to Help – When combined, the above strategies are designed to limit exposure and get the attention of cardholders. What you do with that attention can take your risk-mitigation strategies to another level. Seizing the opportunity to promote products that make it possible for customers to monitor their accounts more closely can be a game changer. Some examples include transaction alerts, on/off switches for debit cards and account notifications. There is nothing more powerful than the watchful vigilance of your cardholder community.
Deploying some or all of the above strategies instead of reissuing cards can help to maintain or even strengthen cardholder trust while mitigating fraud risk.