WASHINGTON (12/20/13)--The Credit Union National Association's regulatory staff is working with CO-OP Financial Services, CUNA Mutual Group and others, including PSCU, Financial Services Information Sharing (FS-ISAC), Visa and MasterCard, to determine the potential impact on credit unions and their members related to the massive data breach confirmed Thursday at retail giant Target.
The organizations are also providing information to mitigate the risks for credit unions and their members.
"We're keeping a close eye on the breach of debit and credit card information from Target stores, which exploded in headlines across the nation Thursday," said CUNA President/CEO Bill Cheney. "We've already been in touch with Visa and other major card payments processors to ascertain the impact on credit unions, if any," he said.
"This latest breach--while at this point reportedly smaller than the March 2007 TJX Cos. Inc. breach--once more raises the issue of the retailers' responsibility in securing information for card transactions at their stores," Cheney said. "Credit unions and other financials typically foot the bill for the breaches, in forms of issuing new cards and other security responses--as well as the reputational costs to member and customer trust in financial transactions using cards."
Target confirmed that roughly 40 million holiday shoppers' credit and debit cards may have been compromised in the breach. Meanwhile there are things that credit unions can do to mitigate the losses for their members.
The breach involves credit or debit purchases from Target's U.S. stores during the prime holiday shopping season--from Nov. 27 through Dec. 15, said Target's notice to consumers on its website. The information compromised included customers' name, credit or debit card number, and the card's three-digit CVV security code.
The card data at risk involves the compromise of the entire magnetic stripe data, both Track 1 and Track 2," said Phil Tschudy, media relations manager of CUNA Mutual Group. "We strongly recommend credit unions consider blocking and reissuing the impacted open card numbers. Credit unions electing not to block and reissue could experience magnetic stripe fraud in the future," he added.
He noted that CUNA Mutual will send a risk alert out today with more details of the breach as well as a number of tips on mitigating the risks and that it "will continue to monitor this situation with Visa and MasterCard and will notify our policyholders when new information becomes available."
CO-OP Financial Services said it was sending out an alert also. So far no PIN fraud--where cyberthieves take the information compromised and use it to withdraw cash from ATMs--has occurred, said Connie Trudgeon, vice president of CO-OP Financial Services, during a conference call with Dennis Tsang, assistant general counsel for regulatory research at CUNA.
CO-OP Financial Services partner CardAlert monitors a wider base of points of compromise and has detected no PIN fraud associated with the breach, Trudgeon said. These aren't at risk of online fraud because the magnetic strip information, used for counterfeit cards, is not available. "We will continue to monitor it and to get the bigger picture" of the impact, she told CUNA.
Before Target confirmed the breach, CO-OP sent an alert to credit unions and financial institutions Wednesday. Thursday it prepared a follow-up alert advising credit unions to tell members to pay close attention to their credit and debit card accounts. Credit unions also should use their discretion on reissuing cards, closely monitoring the impact of potential losses with the effect on service to members. Credit unions are different in how they go about approaching breaches, she said.
Visa Compromised Account Management System and MasterCard Account Data Compromise services are working on creating files of compromised account numbers for processors and issuers. MasterCard started releasing compromised numbers to institutions as soon as it received word of the breach, said CO-OP.
Essentially credit unions have two primary options in handling potentially compromised cards:
- Monitor transaction activity without blocking or reissuing a card, encourage members to monitor their transaction activity online and sign up for alerts; or
- Block and reissue a new account or card. Blocking and reissuing a new account minimizes inconvenience to the member just before Christmas but potentially subjects the credit union to more fraud losses. Blocking and reissuing a new card potentially minimizes fraud loss to the credit union, but means significant inconvenience to members who would be without a card at a critical time of year for purchases. This in turn could create reputational risk and possibly cause the member to choose another card as their primary card.
"Across the board, credit unions should know whether they are in a neural network and have a monitoring system in place to support them. Some big credit unions will do this in-house," Trudgeon said. Credit unions must determine their daily fraud limits and what their exposure is, manage that and act on best practices.
Bill Freer, CO-OP risk manager, noted that it will take time to go through the extensive list of compromised card numbers to determine exactly how many are impacted by fraud. So far, the numbers involve purchases made in brick and mortar stores, not online transactions.
Credit unions receiving inquiries from members about the breach can share Target's press release and its Letter to Guest from the Target website. Use the links to access these. They also can:
- Determine if the member shopped during the Nov. 27-Dec. 15 timeframe;
- Suggest members monitor their account online for suspicious or unusual activity. If they spot such activity, tell them to contact the credit union immediately to report the occurrences;
- Inform members about the limitations on their liability for unauthorized activity;
- Follow the credit union's established procedures for handling reports of unauthorized activity for either debit cards or credit cards;
- Let the member know they may choose to change the PIN on their debit card; and
- Follow normal procedures if the member requests a replacement card.
The Electronic Payments Coalition, of which CUNA is a member, said it has had a number of inquiries about the breach and will provide more information as it becomes available.
"Electronic payments provide consumers and merchants with many benefits including security, convenience, speed and guaranteed payment. During a breach, our first concern is for the consumers whose information was exposed and for them to be reassured that they will not be held liable for fraudulent transactions," the coalition said in a statement. "We also appreciate the impact that breaches will have on community banks and credit unions whose top priority is the protection of their customer, which can include costs such as the reissuing of cards and covering any losses their consumers incur," the coalition added.
Target has 1,797 stores in the U.S. and 124 in Canada. No Canadian stores are involved in the breach, so far. The compromised numbers are across the entire U.S., with no specific region emphasized.
Target said it is working closely with law enforcement and financial institutions, and has identified and resolved the breach issue.
"Target's first priority is preserving the trust of our guests, and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause," said Gregg Steinhafel, chairman, president/CEO of Target. "We take this matter very seriously and are working with law enforcement to bring those responsible to justice."
Watch for updates from News Now
with risk alert information.