Collaborating on Compromised Plastics Procedures

This Recipe's Chef

Join in the collaboration!
If something you are doing is working well, or if you have challenges you'd like help with, please pass your ideas along to Dawn Moore and we'll post it here to share with others.

Your contact person for this recipe is Dawn Moore.

This page is an effort by CU*Answers to allow credit unions to share with each other what works (and what doesn't) when dealing with situations like the recent Heartland compromise of ATM/Debit and Credit cards.

Updated 3/12/09

What CU*Answers Can Do

Matching Cards #s to Member Accounts

One painful part of the process seems to be matching up the list of compromised cards to actual member accounts so you can figure out which members are affected. Here's an option that might help: If you can give us an electronic list of card numbers (an Excel spreadsheet will work), we can compare it against your ATM/Debit (or online credit card) database. We can assign new card numbers using a number generator and check digit calculator, build the card on the new ATM platform, and generate maintenance to the switch for the new card adds. The process kicks out a report and database file of matching member accounts. You can then use that file with existing CU*BASE tools (such as the List Generator, or Query, or Member Connect) for further analysis or communicating with members. The compromised cards can be closed at a future date, again with card maintenance automatically being sent to the switch that night.

IF YOU WANT TO DO THIS: You will need to decide on a secure method for relaying the file to us. Do NOT just email the list! Remember that email is not a secure communication method. (And you certainly don't want to make the breach any worse!) Contact a CSR to make arrangements. Here are two methods we recommend:

Attach the list to an AnswerBook item - Log in to AnswerBook and use the normal procedure to Ask a Question, attaching the file as instructed (max. file size 5MB). Logging in ensures that questions and attachments are encrypted during transmission.

Shuttle Secure File Transfer Services - If you do not already have a Shuttle account, review the following documents to get signed up:

Outline and Policy
Request Form
Acceptable Use Agreement
Best Practices Guidelines

NOTE: Keep in mind that the process for doing this match is not an simple one, and each file does require a fair amount of custom handling by our programmers. If you have less than 100 cards or so to deal with, it will be faster for your staff to work the list as you are doing now. We want to be able to help as many of you as possible, as quickly as possible. So we appreciate your help in keeping the overall project manageable by considering the size of the job before your submit your request.

Automated Update of CU*BASE Plastics Files

If your vendor can give you a file with both the old, compromised card number and the new card number that will be reissued, we can run that file through a special routine and update your CU*BASE files, copying the information from the old card directly into the new card number.

UPDATE: Here's another variation we recently handled for a CU with over 17,000 compromised cards: The CU uploaded to us a file of debit card numbers. They had already reviewed the list and reordered new cards. We used the list to close the old cards and send maintenance to the vendor (FIS, in this case).

IF YOU WANT TO DO THIS: As above, you will need to choose a secured method for sending the file to us. Contact a CSR to make arrangements.

Helpful Tips and Tools

Push your credit/debit vendor for automated solutions!

Although we will help in any way we can, the first person to ask for help managing this process might actually be your credit card or ATM/debit vendor. There might be tools and options available that you don't even know about, or that you looked at once, way back when you chose that vendor, but haven't looked at again since. A list of 300 compromised card numbers one day might be daunting enough, but imagine if you get a list of 5,000 some day.

You should be able to get your compromised card list electronically!

Some CUs were not aware that they could get an electronic version of the list of compromised card numbers from their vendor, instead of a fax. One CU mentioned just copying/pasting from the CO-OP site they use to an Excel spreadsheet. We did a bit of research and found resources on both www.us.visaonline.com and www.mastercardonline.com that might be useful as well. You should definitely contact your vendor rep and ask about options to make the process easier to manage for your staff.

Have you reviewed your Falcon Fraud settings lately?

Just canceling and reissuing a list of cards you get from your vendor obviously isn't the only thing you should be doing to protect your members. Now might be a good time to review your options for fraud detection to take advantage of the way the networks can monitor and flag potential fraud on the fly, every day.

Sample Member Communications

Here are some sample letters and scripts that some credit unions have used to explain the most recent Heartland breach to their members:

Got more tips or tools? Send them to Dawn Moore

How Will the New ATM/Debit Platform Help?

We are currently in beta with the new ATM/Debit processing platform (the "ATM Pause For a Cause" you've been hearing about over the past year), and throughout 2009 everyone will be making the conversion to this new, more powerful and flexible platform (check out the Kitchen for the details).

One of the things that will be different about this new platform compared to what you have today is that the process for approving and posting has been changed so that if you flag a card as "hot" the system will stop future approvals, but will not stop previously-approved transactions from posting. This will definitely ease the burden on your staff as they won't have as many exceptions to manually post in these situations. Watch for more information about the rollout of this new platform coming soon!

Read what CUs are saying and asking

CU Contributions
We'll use this section to post ideas you've passed along to us, in the hopes that they will help your colleagues, too.

From Hardin Community FCU, Paige Wallace

"We have our process down pretty well now. We get our reports from the Star system, look up the account numbers, call each member and then block and reissue the cards. The frontline has found that now that they have been making the calls, it gives the members a point of contact for future questions, securing our relationship with them. I like your idea of looking up the numbers for us but our report doesn't come in Excel, however, I will be looking into how to get that done!! Also, now that we can order/reorder debit/atm cards on the (CU*BASE GOLD) system, the process of reordering is 100 times easier!!"

From the Town & Country Branch of Frankenmuth CU, Pam Pavlo says,

"We have placed notification on our website, and sent emails to members informing them of the compromise. So far we have done the following: In October we blocked effected states and reissued new cards by changing the expiration date. This only effected one of our smaller bins. In November we again blocked the effected states, notified members, blocked and reissued cards that had fraudulent charges confirmed by Falcon. Now with the masive numbers coming on the Visa & MasterCard alerts, we are in the process of looking at each individual card determining if they should be blocked and reissued. We are looking at severity of compromised information, active account, available funds and current expiration date. If cards need to be reissued we are notifying the member by letter of our actions. We are issuing a new card with a new expiration date, upon receiving the new card the member is to activate the new card, which will then shut down the old card. We give a 2 almost 3 week time frame and then check the cards for activation. All scorecard points are manually transferred."

From TBA CU, Jennifer Taylor is looking for ideas,

"After the last compromise of 300 cards +/- we learned many things that did not work so well. We had members calling the FIS lost/stolen number only to be told they have to call us also (which did not make members happy) in order to get a replacement card. So we then had to field all those calls. In addition we had to take the compromised list, get the member number, then get their addresses and mail them a letter. We then had to go off of the lost/stolen list from FIS, go into CU Answers to add and emboss new card, then go out into FIS to replace the cards out on that system. This was all incredibly time consuming and a lot of work for us as well as confusing to the members. It used to be they called PSCU and they were done. All we had to do were letters for members and answer questions if they called us and that is it. This has me thinking that what we now have to do with a compromised list is crazy, there must be a better way and I am hoping you can lead me in that direction...When I read the sample letter...from other credit unions it seems to me they are doing something that we are not. They seem to be automatically issuing members a new number and closing the old at a specific date. This seems like it would be a lot more convenient for our members and ourselves. No more mass phone calls or people inconvenienced because they are without a card. Is there anyone with the FIS/CU*Answers team that is taking this approach with comprimised cards currently? If they are can I get the specific details on how to make that happen and what we would need to do on our end please? We now have another compromise list with just under 200 cards listed and we would certainly not like to repeat the process we just went through. Any help, guidance, referals or direction you can give us to would be appreciated."

First Trust FCU has the process down pat, says Dan Rajsic:

We had nearly 2,000 cards to reissue with the Heartland breach. We get the CAMS list as a text file, which I convert to Excel. I use Report Builder/Query to pull info from the PLASTIC and MASTER files in FILEXX. I save this to a file in QUERYXX and download to my PC as Excel. This gives me a database of all our active card base with names, addresses, account bases, hot card indicators, bad address indicators, etc.

I use the VLOOKUP function in Excel to lookup card numbers in the CAMS list against my database. Anything without a match is a closed card I don’t have to reissue. I then have a full list of cards to reissue, with every piece of info needed. No one has to do any inquiry on accounts.

With a list as large as Heartland, we had teams doing different functions.

Back office issues new cards with Star.
Tellers do comments. By using copy and paste functions in CU*BASE GOLD, they flew through this.
Member Service reps did Trackers. Again by using copy and paste, it was fast.

I also use Mail Merge to merge my excel reissue list with a Word doc to create custom letters. I even use the RIGHT function in Excel to get the last 4 digits of their card number, then use CONCATENATE to make it show like XXXX-XXXX-XXXX-1234.

Management does the mass mailing, because no one wants a supervisor doing data entry.

By doing this, we reissued nearly 2,000 cards by ourselves in 3 days. This may be a bit much for someone not experienced with CU*BASE and Excel, but it is definitely doable. I also make sure to encrypt the files I am working with.

Future Plans

Whether it be a compromise at a data processing vendor like Heartland or a report of a stolen laptop full of credit card numbers, events like these aren't going away any time soon. So we continue to review what kinds of software tools and support services CU*Answers and/or Xtend could offer to assist.

Lend your voice to the effort...what services or tools would help you the most? Call Center services to contact members directly? Mailing services to print, collate, stuff, and mail personalized letters to a list of members? Data entry staff to set up card records, handle reissue orders, flag hot cards, etc.?

Both CU*Answers and Xtend are working on plans to provide a full line of support services for credit unions, to assist with the coordination, data maintenance, member communications, and other activities related to handling situations like these in the future. Let us know your ideas!

Back to more recipes