The knee-jerk reaction to news of a data breach at a payments processor is the fear that massive fraud could run up a bank’s liabilities to its credit and debit cardholders. In fact, there are usually more mundane, but bigger, costs banks need to worry about.
The best defense against a breach is to get the compromised cards out of circulation by informing affected customers of the problem, reissuing cards, and mailing them out. All these administrative costs pile on-and usually far outweigh-the costs of any fraud that may have occurred.
Lone Star National Bank, for example, put its total damages at $50 million when it filed a lawsuit against Heartland Payment Systems last year. Heartland, the nation’s fifth-largest payments processor, stunned the payments community when it announced a breach of 130 million cards.
Lone Star is now one of five financial institutions taking part in a class-action suit alleging that Heartland was negligent and violated its fiduciary duty in allowing the breach to occur. There’s no telling at this point whether the class action, which has been wending its way through the courts for months, will be decided in favor of the banks.
But case law is not on their side. Last year more than 60 credit unions lost their legal battle to recover costs associated with canceling and reissuing cards when BJ’s Wholesale Club was hacked. In a similar case, TJX Companies agreed to settle with four financial institutions by paying a portion of the costs they incurred in connection with a breach. “For the most part, the courts have not been very amenable to issues of liability posed by the issuing banks,” says David Navetta, a partner of Information Law Group, based in Denver.
The crux of the problem is that the issuing banks do not have contractual relationships with the merchants or merchant-acquiring banks holding customer data. Their obligation is to their cardholders. So even though a third party may be found to be remiss in the way it protects sensitive customer data, the bank may still be held responsible. “Ultimately, it’s the bank’s data,” says Andrew Baer, founder and owner of Baer Business Law in Philadelphia.
The lawsuits underscore the touchy liability issues that arise when an institution and its customers are affected by the actions of a third party. Even if the bank is not at fault, “the regulators are going to look at the bank because that’s the party to whom the customer entrusted that data,” Baer says.
Given this high level of responsibility, banks need to take steps to protect themselves from breaches that occur outside their walls, but within their customer bases. Both legal and technological methods, along with some heavy due diligence, are necessary. “There’s no magic bullet,” Baer says. “Banks need to mitigate risk by using various tools.”
Two states, Minnesota and Washington, have passed laws that provide limited routes for issuing banks to recover the costs associated with breaches at merchants or their acquirers. “The problem is that it’s only a couple states and the triggers are not broad, so it’s not a slam-dunk solution,” Navetta says.
With litigation proving to be an unreliable course of action, banks need to start with contracts that clearly delineate the vendors’ obligations and responsibilities, Baer says. Contracts should require processors to use state-of-the-art security, comply with all laws applicable to the bank’s privacy and security policies, notify the bank immediately of any problems, and indemnify the bank against the financial impact of any breach. Many vendors will push back on the indemnification requirement, Baer says, and the two parties will often end up splitting the risk.
That’s just one reason why contracts are not foolproof. Another is that a vendor may have a clean record, but be new in the business. “The best contract in the world will not help you” when dealing with a company with few financial resources, Baer says. Similarly, a contract is not the best defense against a company with a history of data breaches. In that case, due diligence is a better mechanism.
In recent years, the card association’s contract with the merchant-acquiring bank has emerged as a means of allowing issuing banks to recover some of the fraud and administrative costs that result from a breach. Visa’s version is known as the account data compromise recovery process. By allowing issuers to recoup at least some of their fraud-related costs through such dispute-resolution procedures, the card brands hope to avoid litigation.
Issuing banks can further strengthen their position by lobbying and working through the card brands to get more rights. The problem with that approach is that many issuers are also acquiring banks, so their internal interests end up being in conflict. “That’s why many of the institutions lobbying for these laws are some of the smaller banks and credit unions,” Navetta says.
The other route to combating fraud is to prevent it in the first place through technology that recognizes suspect transactions. “It comes down to really good fraud detection,” says Avivah Litan, a vice president and analyst at Gartner Research in Stamford, Connecticut. Equally important are ironclad methods of identifying customers, such as by requiring multiple forms of identification.
Card fraud detection systems typically analyze card transactions over time to identify patterns of usage. Transactions that occur outside the norm, say, in another country, are flagged or even stopped outright. Setting fraud controls too tightly, however, may inconvenience legitimate customers who may, for example, be traveling abroad.
One way to get around that problem is to examine how customers are using all of the products they have with a bank. “Particularly for cross-border fraud, profiling customers across multiple dimensions is extremely important,” says Paul Henninger, vice president of products at New York-based NICE Actimize.
In other words, banks should look for transactions across a wide range of bank products that suggest a customer has gone on vacation. An ATM withdrawal at an airport combined with a credit card check-in at a nearby hotel, for example, are good indications that a customer is traveling. “Looking at behavior across all products is much more effective in terms of reducing false positives,” Henninger says.
Only recently have banks begun to coordinate their fraud detection efforts across product groups. Traditionally, the online banking fraud group operated distinctly from the credit or debit fraud group, for example. Cleveland-based KeyCorp, which signed an agreement in July to use Actimize’s fraud prevention system across multiple channels and business lines, aptly demonstrates that not just big banks but even regional ones are adopting an enterprise strategy for fraud control, Henninger says. “More banks are taking the stance that fraud is not going away,” he notes.
Once banks have done all they can to improve their own internal fraud detection, they need to exercise proper due diligence to ensure the systems of their service providers are up to snuff. That means visiting processing sites before signing a contract, as well as following up with regular visits to verify safeguards not only remain in place but are upgraded in light of new risks. “In 2011, you’re going to know some things you don’t know in 2010,” Baer says.
Many banks fall short in terms of having a formalized method of due diligence. “That’s critical,” Baer says. “If you don’t have that in place, you’re going to get nailed.”
Even with effective due diligence in place, banks can only rely so much on the security efforts of their processing vendors. Processors are obligated to comply with standards known as PCI DSS (payment card industry data security standards), but adherence to those standards is not equivalent to safety. Heartland, for example, was listed as PCI-compliant when its cardholder database was breached.
PCI is a prescriptive list of general controls that serve as a baseline for better security. But it is not a cure-all. “I don’t know if PCI has stopped any breaches,” Litan says. “It’s probably resulted in a 10% lift.” PCI compliance (or lack of it) at least can serve as a trigger for issuing banks seeking recourse. A bank suffering from a breach at a non-PCI-compliant vendor has more remedies available to it, Navetta says.
Perhaps the best defense against cardholder attacks is to follow the path of Europe and deploy credit and debit cards with chips, which provide strong security features, among other capabilities. However, the cost of creating and issuing chip-based cards and retrofitting card terminals to accept them is considered prohibitive. “The cost of doing all that is more than the fraud the banks are experiencing,” says Jerry Silva, founder of Boston-based PG Silva Consulting.
Until the chip-card cost equation shifts, banks need to make do with a multilayered strategy that includes contractual safeguards, technology, due diligence, and vendor management. So far the legal route has failed to work, largely because of the tenuous relationship between card issuers and merchant-acquiring banks. According to Navetta, the best-case scenario from a legal perspective is for issuers to prove merchant acquirers breached their contract in the case of a security infraction. “But,” he says of the issuers, “they don’t have a contract.”