MADISON, Wis. (1/22/09)--CUNA Mutual Group is providing guidance to its Plastic Card Insurance policyholder credit unions regarding the Heartland Payment Systems breach. CUNA Mutual sent a RISK Alert Tuesday to its nearly 5,000 Plastic Card Insurance policyholders, which provides recommendations for credit unions to mitigate losses. On Tuesday, Princeton, N.J.-based Heartland reported that its processing system was breached sometime last year. Heartland is a third-party card processor used by 250,000 merchants nationwide.
Visa and MasterCard also have confirmed full magnetic stripe data from credit and debit cards have been compromised. “Although the exact number of affected cards is not known, it is expected to be many millions,” said Chuck Cashman, CUNA Mutual Plastic Card Insurance product executive. Credit unions are receiving lists of compromised card numbers and must sort through the lists to find members’ card numbers, then determine if the cards will be blocked or re-issued. “Everyone has their nose to the grindstone looking at the lists,” Cashman said. “It’s very time-consuming.” Credit unions who re-issue cards will have to bear the cost. Given a struggling economy, “the extra expense can be detrimental,” Cashman said. Replacing cards can cost $15 to $25 per account. A sniffer is rumored to have caused the breach. Sniffers are placed on communication lines, such as a server, to capture information. Sniffers collect information, which is then unencrypted and normalized by the recipient. Sniffers can be used legitimately, but fraudsters also use them to make counterfeit cards. Credit unions need a fraud management system, but if fraud strikes on the merchant’s [or processor’s] end--like it did with Heartland--“they are kind of stuck between a rock and a hard place,” Cashman said. It could take months for Heartland’s impact to be realized. The TJX Cos. breach in 2007 took a few months to sort out, and Heartland is twice the size of TJX. Although processes have improved since then, “it’ll be a few months before everything’s pieced together,” Cashman said. Will credit unions have recourse once the impact of the breach is realized? “That’s being sorted out,” Cashman said. In October, CUNA Mutual notified Visa and MasterCard of higher-than-normal fraud activity after credit unions began informing the insurer of a spike in plastic card fraud and related activities. “CUNA Mutual Risk Management detected that something big was happening,” Cashman said. “We reported our findings to both card associations to help facilitate an investigation to determine if a breach had occurred and, if so, its origin.” The company didn’t know the fraud was related to Heartland until the processor issued a release on Tuesday. CUNA Mutual saw about 600 data breaches last year through its alerts. “Many aren’t a major alert,” Cashman said. “Hundreds of small and medium breaches never hit the radar.” CUNA Mutual has offered credit unions two related RISK Alerts issued in late 2008 when fraud activity spiked; a webinar in November and viewed by more than 600 credit unions; a questions and answers document; and talking points to assist credit unions in discussing card fraud with local media. The most recent RISK Alert recommends credit unions review Visa CAMS Alerts or MasterCard Alerts carefully to determine “high risk” exposure for future fraud. Doing so will help them determine what course of action to consider, Cashman said. Some additional recommendations in the RISK Alert include:
* Review accounts involved in the breach. Determine which cards on the card association alerts are still active (open). * Review other accounts. Find out which cards on the alerts are non-active and have been closed due to fraud. Identify if the fraud pattern on the closed accounts matches the fraud pattern described in the card associations’ alerts. * Monitor or block and reissue. Assess compromised cards to determine whether to monitor the affected cards. If opting to monitor, contact the card association (Visa or MasterCard) to determine how the credit union’s action will impact future recovery efforts, otherwise block and reissue the affected cards. Reissued cards will be encoded with new track information, which includes the new CVV/CVC values and card expiration dates.
Credit unions also call CUNA Mutual’s CU Protection Resource Center at 800-637-2676 for more information.