One bank that has implemented such an approach to its transaction monitoring and has seen results is Madison, Wis.-based AnchorBank ($1.3 billion in assets). The bank started working with Fiserv's Risk Office in the spring of 2010 because the bank was taking too many losses from breaches, says Don Thornton, a card fraud analyst at the bank. Fiserv helped the bank improve its transaction monitoring so it could focus its fraud-prevention efforts on transactions that pose the highest risk, Thornton relates, and within two months AnchorBank was preventing 90% of fraud attempts against its cardholders.
"We really fully immersed ourselves and focused on analyzing trends on a daily basis. We developed an understanding of what was typical for our card base, … and we started to understand when to impact the cardholder," Thornton explains.
Based on that analysis, the bank developed a set of foundational rules to determine when a transaction poses high enough risk for the bank to take preventive action. Those rules are based on customer data such as demographics and purchasing history, and can be adjusted to handle specific incidents such as a data breach, Thornton says.
That approach paid off for AnchorBank when the retailer breaches hit last year. While many banks reissued cards en masse to prevent fraud after the breaches, AnchorBank was forced to reissue only 1% of its cards because of fraud concerns in one of its products, Thornton reports. The bank was also able to stop more than 94% of fraudulent transactions against its cardholders in December.
Strong Encryption, Strong Collaboration
Two-factor authentication can limit fraudsters' ability to use stolen credentials, and transaction monitoring can help banks know when to be on high alert, but strong encryption of payments data can help prevent credentials from being compromised to begin with. "Everyone in the payments system has to use strong encryption [the current standard is AES-256] from the point at which they receive data through the processing, storage, and final disposition of that data," says Identity Theft 911's Coffman.
It would be in everyone's interest to adopt strong encryption, which is also recommended by the Payments Card Industry (PCI) council, an industry group that sets security standards for merchants accepting card payments, but faulty installations among merchants remain an issue, Coffman says. "There's a standard out there. Some retailers just aren't following it," she observes. "People aren't motivated because the risk isn't passed on to the consumer."
Instead the risk is passed on to banks, which have to meet strict regulatory compliance mandates or face stiff penalties. Retailers don't face the same kind of repercussions if they fail to meet PCI standards, Bank of the West's Pollino says. "I don't think that PCI has created that same kind of environment [as banks deal with] where things are examined holistically and certain actions need to be taken. You need to have some teeth to make something happen," he explains.
The upcoming EMV liability shift will provide some incentive for retailers to up their security, Pollino says. The liability shift will mean that retailers will have to take the financial hit for breaches if they don't implement EMV-compliant terminals. "I wouldn't be surprised if we see a retailer go out of business or see one of them take a big hit in their financial disclosures," Pollino predicts.
But even the liability shift might not be enough to push retailers, especially smaller ones, to implement better security, he adds. "Smaller merchants in particular may be unaware of their liability exposure," he says. "A lag in implementing additional controls can provide a great opportunity for criminals to profit. Private entities or regulatory bodies need to proactively push for greater controls."
For now, banks need to reach out to retailers to collaborate and educate them on best practices and risks that they could inherit when the liability shift occurs, Pollino says. Bank of the West has started to contact its retail partners to this end, and industry groups such as the Financial Services Roundtable, the Retail Industry Leaders Association, the American Bankers Association, and the National Retail Federation announced a partnership in February to find ways to improve payments security.
"I hope that my team's outreach and the more stories we see about this topic will help us build a dialogue with retailers. … Hopefully we don't wait until we put a bunch of money in the fraudsters' pockets first," Pollino says.
Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio