This is an advisory letter regarding plastic card losses (both debit and credit cards) due to fraudulent activity. Credit unions that participate in or offer these programs should pay particular attention to this issue.
Plastic card fraud and the resulting losses are affecting both debit and credit card programs in an increasing number of credit unions. Some credit unions that have experienced losses thought they had adequate security measures in place, but because of contractual deficiencies, misunderstandings, or miscommunications with their processors, the security measures they thought were in place were not operative. In addition, criminals are using increasingly sophisticated methods to commit plastic card fraud.
Failure to protect plastic card operations is a significant safety and soundness concern. Credit unions should immediately review their contracts with credit and debit card processors to ensure that they have employed adequate loss prevention measures (discussed below). Credit unions should assess the measures they currently have in place and, if those measures are not adequate, they should immediately develop plans for implementing the necessary measures to reduce or eliminate plastic card losses.
Background. Recently, a number of credit unions have been victimized by overseas groups that were able to generate significant amounts of fraudulent debit card transactions. In some cases, the credit unions' losses have exceeded their plastic card insurance limit. Further, because of rising losses in plastic card programs, some insurers have given notice to their credit union bondholders with plastic card programs that, unless these credit unions institute certain internal controls, insurers may reduce or eliminate their plastic card coverage in the near future. Currently, credit unions that have plastic card insurance coverage share in the losses through higher deductibles and losses that exceed their insurance limits. Reduction or elimination of plastic card coverage means that the credit union must have sufficient earnings and capital to absorb any uninsured plastic card losses it may incur.
Loss Prevention Measures. The following loss prevention measures are currently the most effective ways for credit unions to reduce or eliminate plastic card losses:
- Card Activation. Processors should send new and renewal plastic cards to credit union member cardholders in an inactive mode. Before using the cards, cardholders must activate the cards by going through customer verification procedures. Card activation programs can significantly reduce the plastic card losses associated with the theft of cards from the mail.
- CVV/CVC (Card Verification Value/Card Validation Code). VISA's Card Verification Value (CVV) and MasterCard's Card Validation Code (CVC) combat counterfeit fraud through use of special numbers encoded on the magnetic strip of credit and debit cards. When the merchant passes the card through the point of sale reader at the time of sale, the transaction will be rejected and not receive authorization if the special code on the card does not exist or does not match the code maintained by the card processor. However, for CVV/CVC to work, credit unions must have their authorization response codes set to decline the authorization. Credit unions should confirm with their processors that CVV/CVC has been implemented on all cards in production, that CVV/CVC is fully operational and being read on all cards, and that their authorization response codes are set to decline the authorization for all credit and debit transactions. This includes the credit union's response code for CVV/CVC mismatches and the response code for Expiration Date Mismatch; both should be set to decline the authorization. CVV/CVC can serve as an effective counterfeit deterrent if administered and monitored properly by the credit union. You should consider accelerating your card renewal process to ensure that 100 percent of all credit/debit cards are CVV/CVC encoded.
- Neural Network. Neural networks track spending patterns of both cardholders and typical fraud transactions. If monitored effectively, neural networks can detect fraudulent use of a plastic card. By employing and continuously monitoring neural networks, credit unions or their processors can react faster and more efficiently to signs of potential fraud. However, some processors have decided not to perform weekend monitoring of transactions, thereby greatly reducing the neural network's effectiveness. For maximum protection, credit unions may want to request that their processors monitor transactions 24-hours a day, 7-days a week, including holidays, to detect potential fraud early on.
Visa and MasterCard offer stand-in processing to credit unions; however, before employing this option, credit unions should understand the risks involved. Stand-in processing involves authorization of cardholder transactions when the issuer's processor is unable to perform the authorization. Credit unions that select this option may create a greater risk than they intended, since the stand-in processor (Visa or MasterCard) does not maintain the issuer's cardholder data. This may preclude the stand-in processor from checking the cardholder's available-to-buy balance on a credit card or the available balance for a debit card. In addition, even when a card number has not yet been assigned to an issuer's cardholder, a transaction using an unassigned card number may receive authorization if it is within the financial institution's BIN range of valid card numbers. This could result in a cardholder's transaction exceeding the approved credit card limit, a negative balance in the cardholder's account, or the inability to post the transaction to a valid cardholder account. Credit unions allowing stand-in processing should talk to their processors about hours of operation and should set reasonable issuer limits to minimize the potential risk.
While some credit unions have installed the appropriate safety measures, many have not. For credit unions that do not install the necessary safety measures described, insurers may reduce or eliminate plastic card coverage. Credit unions that have lost, or can lose plastic card coverage, should immediately assess their earnings and capital positions to ensure that they can absorb potential related losses.
Norman E. D'Amours