Title: Plastic Card Requirements
1Plastic Card Requirements
- Both CUNA Mutual and Credit Unions Need to Take
Action!
2Agenda
- Plastic Card Industry Issue
- CUNA Mutual Actions
- Not EnoughMore Changes Necessary
- Answer Your Questions
3Plastic Card Losses Report Year
2005 56 increase in credit union losses
Credit Union Reported Losses CUMIS Insurance
Society Inc., 12/31/2005
4(No Transcript)
5(No Transcript)
6CUNA Mutual Actions
- Onsite analysis of credit union card operations
and security features - Educational efforts and tools
- Developed Plastic Card Security Best Practices
- Webinars and fraud forums
- RISK Alerts
- Plastic Card Customer Care Center
- League and association functions and industry
publications - Analysis and collaboration with card processors
- Legal action against BJs Wholesale and Fifth
Third Bank on behalf of CUMIS Insurance Society,
Inc. and almost 200 credit union partners - Advocacy role with card associations
7Plastic Card Losses Report Year
?
120
100.1
85.0
100
89
80
51.5
60
38.6
57
40
40
39
20
0
2002
2003
2004
2005
2006
Credit Union Reported Losses CUMIS Insurance
Society Inc., 12/31/2005
8Fraud Loss Benchmarks
- VISA professes that industry average 6 BP fraud
loss rate - Fraud Fraud Losses
- Sales Transacted
- Results Expressed in Basis Points
- 1 Basis Point 1 hundredth of 1
- Multiply answer by 10,000 to convert to BP
- Can be used over any period of time
- Commonly measured using monthly or quarterly
results
9Industry Standard Measurement
- Adjusts automatically along with growth and
increased card use - Compares fraud losses to transaction dollars
that drive interchange revenue - Works across card types and programs
- Good Peer benchmark
10Credit Union Action is Needed
- Ensure that your credit union has all of the
plastic card security requirements and best
practices in place - Ensure that CVV/CVC is being validated on all
magnetic stripe authorizations - including debit
PIN transactions - Follow the claims and recovery documentation
requirements
11CVV/CVC Validation PIN Based Transactions
- Problem identified in phishing scams
- Members provided debit card and PIN
- Fraudulent ATM withdrawals followed quickly
- CVV/CVC not validated
- Effective July 1, 2006 no coverage if CVV/CVC
is not validated on debit PIN transactions
12Implement All Security Requirements
- CVV/CVC
- CVV2/CVC2
- Exact Cardholder Expiration Date
- Card Activation
- Address Verification Service
- Internet Card Security
13Claims Documentation Requirements
- Timely reporting of losses
- Complete list of requirements on Proof of Loss
summary page - CVV/CVC result code for magnetic stripe
transactions - CVV2/CVC2 result code and/or
- Address Verification Service result code and/or
- Verified by Visa or MasterCard SecureCode result
code
14Recovery Requirements
- Pursue chargeback and compliance processes
- Return funds to us if compliance recovery is
awarded - Provide association denial letter if not
successful in compliance process
15Breach of Merchant Database
16Compromised Cards
- Can be used for POS 90 (swiped) transactions if
full magnetic stripe data is compromised - CVV/CVC matches
- Expiration dates match
- Can be used for key entered transactions (POS 01
or 81) - Card present environment
- Card not present environment
17Compromised Card Numbers Loss Controls
- Minimize loss exposure
- Block affected card numbers through expiration
date - Issue new card numbers
- The most effective method of preventing fraud in
this situation - Alternative is to monitor compromised accounts
closely - Code accts on Visa terminal with CAMs alert
- May assist processors fraud analyst when
evaluating neural network alerts - Will be useful if counterfeit skimming fraud
occurs in the future (i.e., identify potential
compliance eligible losses) - Recover losses through Visas Compliance process
- Compliance process to be replaced with Account
Data Compromise Recovery process October 1, 2006
18Visas Compliance Filing Process Existing
RulesScenario 1
- 180 days from the date of the fraud if the fraud
occurred subsequent to the date of the alert - Applies when compromised accounts are monitored
rather than blocked/reissued - Review authorization logs to determine if card
was used at merchant during the time of
compromise exposure outlined in CAMs alert - You must first obtain the acquirer ID number
through Visa Resolve Online (877-847-2765) - Initiate compliance process if card was used at
merchant (identified by acquirer ID ) during
compromise exposure time frame
19Visas Compliance Filing Process Existing Rules
Scenario 2
- 180 days from the date of the CAMs alert if the
fraud occurred before the date of the alert - Check status of accounts listed in the alert
- If accounts are already blocked and reissued due
to counterfeit-skimming fraud determine if it
occurred subsequent to the date of the merchant
breach listed in the alert - Review authorization logs to determine if card
was used at merchant during the time of
compromise exposure outlined in CAMs alert (must
search by acquirer ID number) - If so, initiate pre-compliance process
- Easy way is to compare plastic card fraud
tracking spreadsheet to spreadsheet containing
compromised accounts from CAMs alerts
20Underwriting Requirement for Policies/Renewals
Effective on or after August 1, 2006
- Fraud Detection System
- Credit, debit and ATM only branded cards
- Fraud monitoring 24/7/365
- Response capability 24/7/365, including ability
to identify high risk activity and block or
decline transactions when necessary
21Underwriting Guidelines
- Current level of fraud risks and losses in
industry - Individual credit union experience
- Portfolio activity and exposure to fraud
- Utilization of the Plastic Card Security Best
Practices
22Underwriting Actions
- Establishment of Per Card Number Limits for all
policyholders - Increased use of Per Card Number Deductibles
- Increased use of Co-Payments
- Increases in Annual Aggregate Deductibles
23Underwriting Actions
- Co-Pay Example
- Credit union has 100,000 Annual Aggregate
Deductible, - 20 Co-Pay
- Loss Amount CU Retention Payable Claim
- 75 Losses 100,000 (under deductible) 0
- Total 100,000
- 1 Loss 2,000 (20 co-pay) 8,000
- Total 10,000
24Underwriting Actions
- Per Card Number Deductible and Per Card Number
Limit Example - Credit union has 100 PCND, 10,000 PCNL, 2,500
AAD - Loss 12,000 - 100 11,900 (PCNL is 10,000)
- Claim 10,000 - 2,500 7,500
- Note Losses eliminated by the Per Card Number
Deductible (PCND) or the Per Card Number Limit
(PCNL) do not count toward the Annual Aggregate
Deductible (AAD) and the Annual Aggregate Limit
(AAL).
25Must Fix Now
- Neither our company nor credit unions can
continue to sustain the current level of losses. - We need to work together to maintain the
viability of a plastic card program.
26Ken Otsuka, CPA Senior Risk Management
Specialist Credit Union Protection Risk
Management CUNA Mutual Group kenneth.otsuka_at_cunamu
tual.com 847-612-9653