Best Practices for Dealing With
An Account Compromise
You’ve just received an e-mail from Visa’s Compromised Account Management System (CAMS) alerting you that
some of your accounts may be at risk. Now what? This is a common problem for today’s issuer. The good news
is there are a variety of ways to address account compromises that can minimize the impact to your customers
and still protect against fraudulent activity. The following are considered industry best practices for responding to
these events:
1. Prioritize the exposed accounts.
Determine how many of the exposed accounts are still
active, and if any of the accounts have been closed due
to fraudulent activity.
n
n
n
If you have closed accounts that were involved
in fraud, compare the fraud pattern on the closed
accounts with the circumstances or fraud pattern
described in the CAMS alert message. For example,
if the CAMS alert describes a fraud pattern of full
magnetic-stripe counterfeit taking place, you should
determine if your fraud patterns are similar.
If the CAMS alert describes a compromise involving
only account numbers and expiration dates, you
may be looking for card-not-present fraud patterns.
If you detect similar fraud patterns you may want
to consider blocking and reissuing cards for the
affected “active” accounts. Fraud patterns matching
the data elements compromised are often tell-tale
signs that someone has already obtained some of
your accounts and has used them. This indicates
that the other accounts may have also been exposed.
Continue to monitor the compromised accounts for
card present activity with invalid or missing Card
Verification Values (CVV) as these may be signs of
potentially counterfeit cards.
If you haven’t seen any signs of fraud that you
believe could be linked to the reported account
compromise incident, continue to monitor your
accounts in accordance with best practices. It is
often difficult to determine with certainty if the
hacker was able to retrieve all of the exposed
account numbers, including those from your
institution. In this situation, it is recommended that
these accounts continue to be monitored closely and
placed in authorization strategies with heightened
controls. It is not uncommon for criminals to store
account data up until the expiry date of the card.
2. Comprehensively evaluate the exposure.
Monitor the fraud rates on the group of exposed
accounts and compare to the portfolio average. Take
into consideration the number of cards affected, daily
spending limits on cards, and the likelihood that fraud
may occur. Also, assess the likelihood that the fraud
will take place in the card-not-present environment,
which may allow for chargeback rights on fraudulent
transactions.
3. Narrow down the high-risk possibilities.
For incidents involving the compromise of full track
data, the accounts that were reissued after the
compromise date are not likely to be “high-risk”
because the reissued account will have a new Card
Verification Value (CVV, CCV2) and expiration date.
4. Check for upcoming expirations.
Determine how many of the exposed accounts will be
expiring in the next 30 to 180 days. Consider moving up
the reissue on those accounts. Note that changing the
card account number may not be necessary; issuing the
same card account number with a different expiration
date will create a new CVV and CVV2 thereby
protecting against future counterfeit, card present fraud,
and this may help reduce the impact to cardholders.
Also consider applying atypical expiration lengths (e.g., 26 months versus 24). These procedures can help to minimize impact to the customer
particularly with regard to recurring payments. If you participate in Visa Account Updater, make sure to provide new card information to minimize cardholder declines for bill pay or other recurring transactions.
Best Practices for Dealing With An Account Compromise [continued]
Additional Information
5. Apply effective risk decisioning tools.
Establish authorization strategies that use the Visa
Advanced Authorization risk score and risk condition
code. Utilize the Compromised Event Reference ID
for real-time recognition of compromised accounts
to filter at-risk accounts and optimize fraud detection
at the point of sale. Combine the Visa Advanced
Authorization risk score and compromised risk condition codes with Visa’s rule-based decisioning
solutions to stop fraud at an exceptional false positive
ratio to ensure minimal customer impact. For more
information please contact your Visa Account
Representative or e-mail VAA_VRM@visa.com.
Promptly Notify Visa of Suspected Compromises
By doing so, Visa can take action to investigate and determine
the validity of the potential compromise. In the early stages of an
investigation, Visa may issue a CAMS Proactive Alert which is
designed to notify Visa clients as quickly as possible of a potential
compromised event and its related accounts. If the compromised
event is confirmed, a follow-up CAMS alert will be distributed to all
affected financial institutions.
Reporting a Suspected Compromise
6. Notify your dispute area of the compromise.
This ensures that appropriate action can be taken
immediately. The disputes team also can help to detect
emerging fraud patterns in the group of exposed
accounts.
7. Know your insurance rights and liabilities.
If your financial institution has counterfeit fraud
insurance coverage, you may need to review your
coverage with your carrier and discuss the impact of not
blocking and reissuing new cards.
8. Report fraud.
Make sure you or your processor properly reports fraud
to Visa through the Fraud Reporting System, Visa’s
centralized clearing house that helps you to report, track
and analyze fraudulent transactions.
Visa has developed a Common Point of Purchase (CPP)
identification form for issuers to complete when reporting a
possible data compromise. This form, available at Visa Online,
must be completed and submitted to Visa via Visa Online’s secure
e-mail in order for a fraud investigation to be considered. Issuers are
reminded that the CPP identification form is not a replacement for
reporting fraud through the Fraud Reporting System (FRS) and is to
be used solely for investigative and tracking purposes.
About Visa Account Updater
The Visa Account Updater provides a platform for issuers to
communicate through acquirers current changes to cardholder
account information to merchants whose business models support
electronic maintenance of customer account data. Participating
merchants use this updated account information to support
account-on-file functions, such as recurring payments, preferred
customer programs, and express payment options. For more
information please contact your Visa Account Representative.
About Visa Advanced Authorization
Authorization
Request
VisaNet
Authorization
Message Stream
In-Flight
Scoring Engine
• Visa Global Profiles
• Global Transaction & Fraud Data
• Neural Networks
• Statistical Models
Approve/
Decline
Authorization
Request
• Issuer Authorization
Strategies
• Visa Risk Manager
• Falcon Fraud Manager
Visa Advanced Authorization is part of a
comprehensive suite of fraud management solutions
that extends the power of Visa Global Processing
by helping issuers optimize loss prevention and
better manage risk through effective risk decisioning
capabilities. It evaluates 100% of transactions
using the comprehensive global data available
only through VisaNet to deliver outstanding fraud
protection accuracy without burdening your internal
systems. The real-time nature of the product also
enables faster response to emerging fraud schemes.
Visa also offers additional risk solutions that provide another layer of decisioning intelligence
to Visa Advanced Authorization that allows you
to decline the highest risk transactions while
optimizing approval rates at the point of purchase.
This means reduced risk exposure for you and the
freedom for your customers to use their Visa cards
in more places. For more information please contact
your Visa Account Representative or e-mail VAA_VRM@visa.com.
© 2010 Visa Inc. All Rights Reserved. VRM 10.28.10
