Plastic Card Requirements

1
Plastic Card Requirements

• Both CUNA Mutual and Credit Unions Need to Take
  Action!

2
Agenda

• Plastic Card Industry Issue
• CUNA Mutual Actions
• Not EnoughMore Changes Necessary
• Answer Your Questions

3
Plastic Card Losses Report Year
2005 56 increase in credit union losses
Credit Union Reported Losses CUMIS Insurance
Society Inc., 12/31/2005
4
(No Transcript)
5
(No Transcript)
6
CUNA Mutual Actions

• Onsite analysis of credit union card operations
  and security features
• Educational efforts and tools
• Developed Plastic Card Security Best Practices
• Webinars and fraud forums
• RISK Alerts
• Plastic Card Customer Care Center
• League and association functions and industry
  publications
• Analysis and collaboration with card processors
• Legal action against BJs Wholesale and Fifth
  Third Bank on behalf of CUMIS Insurance Society,
  Inc. and almost 200 credit union partners
• Advocacy role with card associations

7
Plastic Card Losses Report Year
?
120
100.1
85.0
100
89
80
51.5
60
38.6
57
40
40
39
20
0
2002
2003
2004
2005
2006
Credit Union Reported Losses CUMIS Insurance
Society Inc., 12/31/2005
8
Fraud Loss Benchmarks

• VISA professes that industry average 6 BP fraud
  loss rate
• Fraud Fraud Losses
• Sales Transacted
• Results Expressed in Basis Points
• 1 Basis Point 1 hundredth of 1
• Multiply answer by 10,000 to convert to BP
• Can be used over any period of time
• Commonly measured using monthly or quarterly
  results

9
Industry Standard Measurement

• Adjusts automatically along with growth and
  increased card use
• Compares fraud losses to transaction dollars
  that drive interchange revenue
• Works across card types and programs
• Good Peer benchmark

10
Credit Union Action is Needed

• Ensure that your credit union has all of the
  plastic card security requirements and best
  practices in place
• Ensure that CVV/CVC is being validated on all
  magnetic stripe authorizations - including debit
  PIN transactions
• Follow the claims and recovery documentation
  requirements

11
CVV/CVC Validation PIN Based Transactions

• Problem identified in phishing scams
• Members provided debit card and PIN
• Fraudulent ATM withdrawals followed quickly
• CVV/CVC not validated
• Effective July 1, 2006 no coverage if CVV/CVC
  is not validated on debit PIN transactions

12
Implement All Security Requirements

• CVV/CVC
• CVV2/CVC2
• Exact Cardholder Expiration Date
• Card Activation
• Address Verification Service
• Internet Card Security

13
Claims Documentation Requirements

• Timely reporting of losses
• Complete list of requirements on Proof of Loss
  summary page
• CVV/CVC result code for magnetic stripe
  transactions
• CVV2/CVC2 result code and/or
• Address Verification Service result code and/or
• Verified by Visa or MasterCard SecureCode result
  code

14
Recovery Requirements

• Pursue chargeback and compliance processes
• Return funds to us if compliance recovery is
  awarded
• Provide association denial letter if not
  successful in compliance process

15
Breach of Merchant Database
16
Compromised Cards

• Can be used for POS 90 (swiped) transactions if
  full magnetic stripe data is compromised
• CVV/CVC matches
• Expiration dates match
• Can be used for key entered transactions (POS 01
  or 81)
• Card present environment
• Card not present environment

17
Compromised Card Numbers Loss Controls

• Minimize loss exposure
• Block affected card numbers through expiration
  date
• Issue new card numbers
• The most effective method of preventing fraud in
  this situation
• Alternative is to monitor compromised accounts
  closely
• Code accts on Visa terminal with CAMs alert
• May assist processors fraud analyst when
  evaluating neural network alerts
• Will be useful if counterfeit skimming fraud
  occurs in the future (i.e., identify potential
  compliance eligible losses)
• Recover losses through Visas Compliance process
• Compliance process to be replaced with Account
  Data Compromise Recovery process October 1, 2006

18
Visas Compliance Filing Process Existing
RulesScenario 1

• 180 days from the date of the fraud if the fraud
  occurred subsequent to the date of the alert
• Applies when compromised accounts are monitored
  rather than blocked/reissued
• Review authorization logs to determine if card
  was used at merchant during the time of
  compromise exposure outlined in CAMs alert
• You must first obtain the acquirer ID number
  through Visa Resolve Online (877-847-2765)
• Initiate compliance process if card was used at
  merchant (identified by acquirer ID ) during
  compromise exposure time frame

19
Visas Compliance Filing Process Existing Rules
Scenario 2

• 180 days from the date of the CAMs alert if the
  fraud occurred before the date of the alert
• Check status of accounts listed in the alert
• If accounts are already blocked and reissued due
  to counterfeit-skimming fraud determine if it
  occurred subsequent to the date of the merchant
  breach listed in the alert
• Review authorization logs to determine if card
  was used at merchant during the time of
  compromise exposure outlined in CAMs alert (must
  search by acquirer ID number)
• If so, initiate pre-compliance process
• Easy way is to compare plastic card fraud
  tracking spreadsheet to spreadsheet containing
  compromised accounts from CAMs alerts

20
Underwriting Requirement for Policies/Renewals
Effective on or after August 1, 2006

• Fraud Detection System
• Credit, debit and ATM only branded cards
• Fraud monitoring 24/7/365
• Response capability 24/7/365, including ability
  to identify high risk activity and block or
  decline transactions when necessary

21
Underwriting Guidelines

• Current level of fraud risks and losses in
  industry
• Individual credit union experience
• Portfolio activity and exposure to fraud
• Utilization of the Plastic Card Security Best
  Practices

22
Underwriting Actions

• Establishment of Per Card Number Limits for all
  policyholders
• Increased use of Per Card Number Deductibles
• Increased use of Co-Payments
• Increases in Annual Aggregate Deductibles

23
Underwriting Actions

• Co-Pay Example
• Credit union has 100,000 Annual Aggregate
  Deductible,
• 20 Co-Pay
• Loss Amount CU Retention Payable Claim
• 75 Losses 100,000 (under deductible) 0
• Total 100,000
• 1 Loss 2,000 (20 co-pay) 8,000
• Total 10,000

24
Underwriting Actions

• Per Card Number Deductible and Per Card Number
  Limit Example
• Credit union has 100 PCND, 10,000 PCNL, 2,500
  AAD
• Loss 12,000 - 100 11,900 (PCNL is 10,000)
• Claim 10,000 - 2,500 7,500
• Note Losses eliminated by the Per Card Number
  Deductible (PCND) or the Per Card Number Limit
  (PCNL) do not count toward the Annual Aggregate
  Deductible (AAD) and the Annual Aggregate Limit
  (AAL).

25
Must Fix Now

• Neither our company nor credit unions can
  continue to sustain the current level of losses.
• We need to work together to maintain the
  viability of a plastic card program.

26

• Questions ?

Ken Otsuka, CPA Senior Risk Management
Specialist Credit Union Protection Risk
Management CUNA Mutual Group kenneth.otsuka_at_cunamu
tual.com 847-612-9653