“It’s the most emotional tiiiimmme of the yeeeaaar”…
The holidays, filled with emotion. There’s so much going on – from travel, to shopping, to family gatherings, and of course the mad rush to finish out the year’s office workload. For many, it’s super stressful, which can bring on a wave of holiday-time emotion.
One thing often top of mind with people – their finances, and during the holiday season bank accounts and credit lines get pushed to the limit. The last thing people need to worry about is whether or not their credit or debit card will be declined due to a merchant breach while standing at the checkout line with a cart full of groceries and hungry kids!
The recent breach of cardholder data stolen from Target has been interesting to watch from so many different angles, including the emotional response. Let’s be clear, breaches no matter how big or small, should not be taken lightly. As security professionals, it’s easy to sit back and arm-chair-QSA this breach with woulda, coulda, shoulda. We’ve seen this movie before. So, too have cardholders. But the majority of cardholders aren’t questioning the technology used for end-to-end encryption and what may have occurred at the point-of-sale or data in transit. Let’s look at this through the eyes of the cardholder and not through the lens of the security professional.
Cardholders are concerned about one thing – themselves. Naturally, they are concerned about losing their hard-earned dollars and being “cleaned out” as the media suggests. Credit card company liability rules can vary and many cover the cardholder completely. There are also governing rules from the FTC.
However, confused and uncertain after listening to advice provided by media outlets, cardholders also turned to many of us in the security industry as the voice of reason. People who work in finance or security, or in my case, both, undoubtedly received inquiries asking, “What should I do.” The answer depends on the individual situation. Michael Santarcangelo posted some excellent guidance on how to explain the Target breach to friends, family and co-workers.
Everyday millions of Americans hand over their credit and debit cards to strangers and think nothing of it. This is the convenience and cashless society we’ve grown accustomed to using and we’re incented to do so with purchase reward programs and zero liability for most fraudulent activity. However, a large breach during the holidays makes for a compelling story and cardholder emotional response takes over.
Undoubtedly, the safest choice for a cardholder who is paranoid and wants peace of mind is to block the card(s) and reissue. Reviewing transaction history is also a good idea, but reviewing purchases is also something that should occur all the time, not just because of a breach.
Ironically, it seems as if cardholder due diligence is not occurring regularly unless there is some event which emotionally scares us and makes us look more closely, when this should be more common. Many institutions offer purchase alert notifications to help stay up-to-date the very moment a purchase is made. But some cardholders don’t take the 5 minutes required to enable this convenience service to stay in touch with transaction activity.
In speaking to several people, there’s an interesting relationship between those who haven’t enabled alert monitoring and those who are paranoid they are going to lose all of their money. Fraud can happen anytime, not just after a large retailer breach, but it takes national news coverage to send many into a panic as if the sky is falling. As cardholders, we should be aware of any purchases made and act if it was unauthorized – this is why services like this exist. What’s the holdup?
What’s not mentioned when getting a new card(s) is all of the extra work cardholders need to do to ensure monthly charges are not declined when automatic payment options are chosen. Utility, cable, mobile phone, eCommerce sites (Amazon, iTunes, etc.), fitness dues, and the list goes on and on, all need to be updated. This can in turn trigger an outcry of emotion based on the inconvenience cardholders must go through. The issuing institution also invests a significant amount of time reissuing cards. Time is money. Let’s look at some of the time-involved activities by the cardholder AND issuer:
- Investigating personal situation and transaction history.
- Contacting institution requesting new card(s).
- New card activation for all authorized cardholders (spouse, etc.).
- Ensure the new activation is not conflicting with someone traveling and using the card intended to be blocked. If there is a conflict, this must be coordinated to avoid declining the old card to someone who is not home.
- Update merchants storing cardholder information.
- Ensuring PINs are matching the intended choice.
- Lengthy meetings to assess the situation and the business decision concluded.
- Cardholder analysis of cards requiring reissue (balances at risk – remember, the financial institution is absorbing the most risk if there is fraud, not the cardholder).
- Spike in call and email volume.
- Communication to cardholders (email, website, call center announcements, social media).
- Communication to employees with plans.
- Ordering cards and factoring the costs of plastic and postage.
- Coordination if cardholders want expedited cards sent and/or alternate address due to travel.
- Dealing with undeliverable mail for cardholders.
- Additional follow-up for cards not activated once received.
- Decision to block old cards after given period of time. This will undoubtedly decline a cardholder at some point because they missed the previous communication.
The fraud loss to date after this breach must be huge with 40 million cards. With a breach this big, fraudsters need to act quickly if cardholders and institutions are reissuing. Fraud must be running rampant, right? According to at least one large service provider, this is not true, and is currently less than 1%.
While this can change, given the response taken by many issuers and cardholders to reissue new cards and debit card limits imposed by JPMorgan Chase (for example), cardholders’ risk isn’t spiking as some would lead you to think otherwise. Service providers monitor for fraudulent activity all the time and nearly all of the trends the public is unaware of because it happens behind the scenes.
When the Target breach occurred, other than volume of cards at risk, for most providers, it was very much standard operating procedure. What is not standard operating procedure are the amount communication and updates between institutions because of the concern and the very fluid updates from Target as to what was and was not stolen. Is this emotional response driven by the number of cards announced?
Would the same frenzy have occurred if the number of cards was “only” 4 million? Fear sells and the second largest card data breach in history makes people pay attention and respond, even if they didn’t have to act.
Since Target is a publically-traded company, what about the stock price? Surely this has taken a beating with the stock market full of emotion? Years ago as a young investor a common quote was echoed by money managers stating: “take the emotion out of the investment.”
The meaning behind this is that we make irrational decisions when we let our emotions take over. When the stock price goes up (some) people buy, but then sell off when the price drops, which can be an emotional decision. Queue Warren Buffet who says, “be greedy when others are fearful.” Often when there’s a significant event it seems as if Wall Street reacts for better or for worse. However, in the short time since the story broke, the stock is relatively unchanged. With all of this negative news, investors who ride a daily emotional rollercoaster don’t appear to be scared off, for now.
Lastly, several have suggested Target’s brand is damaged and loyalty is lost. However, the last holiday shopping weekend of the year – the local Target store parking lot was full. Consumers have choice, and many chose to go back to the scene of the crime.
The security profession is without a doubt technical, but it is also very emotionally-driven, too. People within the security industry as well as outside it make emotional decisions oftentimes when there is a lack of risk understanding. Whether or not the cardholder wants a new card may be out of their control if the institution decides to reissue.
However, from the moment the story broke many cardholders’ emotionally responded to the situation even though there was no sign of a spike in activity and their liability in many cases is zero. Time will heal all wounds and cardholders will go about their lives, perhaps with the same behavior prior to the breach. That is, until the next major story, at which time we may watch the same emotional movie, yet again.