Target payments breach costs to banks "deeply troubling"

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.ababj.com/component/k2/item/4921-target-payments-breach-costs-to-banks-deeply-troubling/4921-target-payments-breach-costs-to-banks-d

The Target consumer data breach last year was costly for banks of all
sizes—and especially for community banks—according to an ABA survey of 535
banks.

More than 8% of debit cards and nearly 4% of credit cards were implicated
in the breach, and banks reissued nearly every card so implicated,
representing tens of millions of cards reissued in response to the single
breach.

The survey respondents alone reported reissuing a combined 4.1 million
debit cards and 2.7 million credit cards; reissue cost averaged $9.72 per
debit card and $8.11 per credit card, among these respondents.

Community banks experienced disproportionately higher costs in reissuing
cards. Banks with less than $1 billion in assets spent just over $11 per
debit card and $12.75 per credit card, including mailing, card production,
and staff time. The largest banks—those with more than $50 billion—spent
less than $3 per card.

“These costs are deeply troubling for all banks, especially for community
banks,” says ABA President and CEO Frank Keating. “As each new retailer
breach occurs, these costs will be repeated over and over. Enough is
enough.”

Banks also bear the costs of retailer breaches through low reimbursement
rates. Although the survey did not cover reimbursement specifically for the
Target breach, only one third of banks reported receiving any reimbursement
for fraud losses and reissue costs in the previous five years. Of those
that did receive reimbursement, 83% said they received less than 10 cents
on the dollar—and 46% reported receiving not even a penny on the dollar.

The breach caused a major, though less quantifiable, disruption to
employees’ daily duties at the bank. Sample respondent comments, from banks
with less than $1 billion in assets include:

• “Our Call Center was swamped for several weeks impacting our ability to
provide normal servicing. The amount of research necessary to review
customer transactions because customers who had shopped at Target wanted to
see if they had unauthorized transactions was enormous. The misinformation
spread by the news media was out of control. All many customers heard was
‘call your bank and have your card replaced if you have shopped at Target.’
A very large number of customer conversations occurred even if the card was
not compromised. Card issuers simply cannot prepare for an event like this”

* “Over 323 hours were spent by 32 employees to facilitate the
responsibilities of administering the required procedures necessary to
complete this debit card compromise response. This includes time spent by
various departments such as executive, technical, customer service, and
others who were removed from their normal job duties to complete this
effort instead of performing their usual job—a detriment to the bank and
the communities we serve that cannot be easily quantified.”

Other costs also are noted in the survey, as represented by respondent
comments:

• “Phone calls [to cardholders] were placed within 24 hours of being
notified by our processor of who was affected. Phone calls were completed
by our contact center, branches, and back office areas. The branches spent
approximately 35 hours making customer calls and handling customer
complaints. Our contact center reported 40 hours in making calls and
answering increased phone call volume. Marketing spent 25 hours drafting
customer correspondence and scripts for calling customers.”

• “Our call center volume doubled and the cost per call was as high as the
cost per card. We use a third-party vendor that charges by the minute. The
additional number of calls was similar to the number of cards compromised.”

• “Public news of the Target data breach broke at the same time bank began
receiving lists of potentially compromised cards from our processor. This
news generated the largest customer reaction I have experienced to any
event in my 22 years at this bank. Bank phones rang, literally, non‐stop
for the first few business days following the public announcement. Handling
and responding to these calls consumed a majority of bank resources during
this time. Callers were alarmed and very concerned about the safety of
their accounts and personal information. Many customers requested to have
new debit cards issued to them even if their card had not been identified
as potentially compromised in the data breach.”

• “We are continuing to see an upward trend in fraud/losses. Most customers
prefer the ease of debit cards, but with all the compromises it makes it
harder to sell the product. Most people do not realize that it is NOT
Target or any other businesses that has endured the losses of this
compromise or any compromise or fraud losses, but rather their bank that
issued them the card that suffers the loss and stands behind our customers!”

“We have engaged for the past year in discussions with the card
associations on increasing bank reimbursement levels for data breach
costs,” Keating says. “These findings make it clear that banks bear too
much of the cost of retailers’ data breaches. We will continue to push to
get these reimbursement levels up.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!