Card security: Tighten current standards prior to innovating

by ZootBlog

by. Karen Gordon

Card security and the need to better protect against fraud have gripped headlines since the Target breach. The ensuing aftermath of finger-pointing and lawsuits over who is responsible for the massive losses continues. The costs have run deep from card reissuance, to credit monitoring services and additional customer service staff to handle the sheer volume of calls and complaints. Most important perhaps, is the loss of consumer trust.

Things are clearly broken and the magnitude of this incident demands greater protections, including a renewed look at EMV technology. Even the government is getting involved—Senator Patrick Leahy (D-Vt.) has reintroduced the Personal Data Privacy and Security Act, a bill he first sponsored in 2005, that would create new rules for data breach notification and securing customers’ personal information. Additionally, the Obama administration has established voluntary guidelines for banks and other companies to raise their cybersecurity standards. Before the industry (or the government) makes any major changes, I’d argue there are significant gaps in the most basic fraud prevention efforts.

There are numerous opportunities for fraudsters to attack our payments system—antiquated card technology, retail vulnerabilities, vendor security, phishing schemes and carelessness on behalf of consumers. Responsibility falls on card issuers, retailers and consumers alike. Without everyone doing their part to ensure security, things will inevitably go wrong. Allow me to share a personal use case that exhibits how safeguards already in place aren’t working as effectively as they should.

Many card companies offer a security feature that allows customers to set automatic alerts for unusually large transactions, international charges, cash advances, etc. to protect themselves from fraud. When any of these occur an email or text message is sent to the card holder immediately. Recently I received such an alert for a transaction made over $500 on one of my cards from a leading issuer. I called right away to notify them that the charge was not mine. The issuer’s response was to “wait and see” if the charge would go through. A day later, after thousands of dollars in fraudulent transactions had posted to my account, the card was finally cancelled. The account monitoring system in place worked perfectly, but the card company didn’t take immediate action.

continue reading »