Taking the sting out of data breaches
Many financial institutions have felt the sting of recent breaches —and rumor has it, several more to come. Dealing with the aftermath is frustrating, time-consuming and, in some cases, costly.
Fortunately, there are steps community banks can take to ensure they are prepared the next time hackers and fraudsters team up to wreak havoc in the industry. The following are best practices that many banks are now applying as they go forward into an intensified data breach threat.
Instant issuance — When sizable data breaches hit the banking industry, there is a large number of mass reissue projects, which puts a great deal of strain on the card systems and processes that are critical to fast, convenient replacement for cardholders. Banks can combat much of the long queues and frustrated customer sentiment with an instant-issuance strategy.
Compromised card notifications — Most banks receive compromised card alerts from their payment processors. However, it’s important not to assume those processors maintain that information. Some store this type of data for only seven days. Banks should save compromised card lists to an internal folder immediately upon receipt.
Mass reissue — It’s important to weigh whether an immediate mass reissue is really necessary. With sufficient fraud management services, impacted cards are automatically queued and monitored closely to catch counterfeit fraud. Often these systems are very sophisticated and balance fraud mitigation and cardholder convenience well.
Hot-carding — Card managers should determine how the bank will handle what’s called the “hot card.” The native intent of the hot-carding process is to prevent thieves from using the card, even with the PIN. Will the bank choose to hot-card manually or use a mass hot-card process? Different strategies impact cardholders in different ways. It’s a best practice not to hot-card prior to cardholders receiving their new cards in a mass reissue. If banks decide to hot-card prior to a reissue, they should be sure to have a defined cardholder notification process in place.
Maintenance on the core — Banks should train staff sufficiently in breach response so they understand exactly how maintenance performed on the bank’s core may impact existing card records, in turn, affecting the mass reissue process.
Cardholder communication — Bank staff should always be forthcoming and realistic with cardholders. Prior to communicating a card reissue turnaround time, staff should connect with the bank’s card vendor. Depending on the size of the breach, reissue turn-around time can take longer than normal. If photo cards are impacted by a breach, the bank must identify the image ID for those cards prior to reissuing them. This can take additional time, so staff should be aware of the timeline when communicating with cardholders.
Cardholder contact information — Having up-to-date cardholder contact data is critical to a fast turn-around on reissues. Knowing how to reach your cardholders, as well as how to enter their contact information in new card accounts will save bank staff an incredible amount of time correcting data when a breach occurs.
Analysts predict large breaches to continue, and more consumers to be impacted. Setting a proactive plan and getting policies, procedures, and training in place today will help your bank react swiftly and in the best interests of customers when the inevitable happens again.