48 posts categorized "Payments Processors" Feed

Payment Processors: A New I've Been Mugged Topic

When consumers purchase a product or service with some form of plastic (e.g., credit cards, debit cards, prepaid cards) and their mobile device, usually several companies are involved in completing that transaction: getting the money to the retailer (online or brick-and-mortar). While many consumers may believe that only their bank is involved in processing the transaction, the reality is that more companies are often involved.

One type of company involved are payment processors, companies that process these financial transactions. Sometimes these payment processor companies experience data breaches where sensitive customer information is lost or stolen. With recent events in the banking industry, and the spread of prepaid debit cards, this new topic can help you more easily read about and understand what is happening within the banking and retail industries.

I have tagged this new topic retroactively to archived blog posts, so you read and understand the types of information available. See the new "Payment Processors" topic. I hope that you find it useful.


The Companies Involved In Payment Transactions When Consumers Buy Items

When consumers pay for products and services, today they have a wide variety of options. To make these options work, a variety of companies are involved behind the scenes in the payment transactions: the companies money and information flow through after a consumer purchases something at the checkout register. Consumers may not realize the wide variety of different companies involved.

Companies involved in the payment transactions flow often have their onw privacy policy, and data collection of consumers' sensitive information -- driven by their agreement with the retailer or bank. And, each company involved may experience data breaches where consumers' sensitive information is exposed or stolen:

  Payment Method
Company Type
CashCredit CardDebit CardRetailer's Prepaid Card (1)
Bank Prepaid Card (2)
Prepaid Card: FSA (3)
Smart Phone
Brick-&-mortar retail store No Yes Yes Yes Yes Yes Yes
Online retail website n/a Yes Yes Yes Yes Yes n/a
Retailer's partners &/or affiliates (4)
n/a Yes Yes Yes Yes Yes Yes
Your bank n/a Yes Yes n/a Yes Yes Yes
Retailer's bank n/a Yes Yes Yes Yes Yes Yes
Payments Processor (5) No Yes Yes Yes Yes (6)
Yes Yes
Your Employer n/a n/a n/a n/a Yes Yes Yes
Healthcare Vendor (7)
n/a n/a n/a n/a No Yes n/a
Wireless Provider n/a n/a n/a n/a n/a n/a Yes
Mobile Device Manufacturer n/a n/a n/a n/a n/a n/a Yes
Mobile Device Operating System Developer (8) n/a n/a n/a n/a n/a n/a Yes
Mobile App Developer (8) n/a n/a n/a n/a n/a n/a Yes
App Store
n/a n/a n/a n/a n/a n/a Yes

Footnotes:

  1. Includes gift cards offered by retailers that are good only at that retailer's stores.
  2. Includes general-purpose prepaid cards usually offered by banks
  3. Includes prepaid cards used by employers to adminster healthcare Flexible Spending Accounts
  4. Includes outsourced vendors that administer a retailer's email marketing programs, cloud-based storage services, customer relationship management databases, mobile marketing services, product fulfillment, and/or data mining services; plus companies that perform co-marketing campaigns
  5. The bank and/or company that processes the debit/credit card transactions
  6. Applies to employers that pay employees via a payroll debit cards
  7. Some employers outsource the administration of their healthcare Flexible Spending Account (FSA) program to an external vendor, and issue participating employees a special prepaid card
  8. The company that develops and maintains this software mobile devices

What do you think about the above chart?


Chicago Transit Authority Riders To Use New Ventra Card Starting This Summer

Ventra logo Last month, the CBS television network affiliate in Chicago reported about a new fare card to be offered this summer in Chicago by the local public transit authority. The news report stated:

"... one of the companies behind the new card gets an F rating from the Better Business Bureau... It will be offered by Money Network, which is owned by First Data. Money Network currently has an F rating with the BBB."

Reportedly, the "F" rating was based on complaints by consumers since 2010. Chicago officials said that the new Ventra fare system will save the Chicago Transit Authority (CTA) about $50 million during its 12-year contract with Money Network.

The new Ventra fare card will be available for Chicago consumers during the summer of 2013. Consumers will have the option to use the Ventra card to pay for CTA fares, or to opt in and also use it as a prepaid debit card to pay for purchases at local retail stores. By 2014, the CTA will migrate fully from the current Chicago Card and Chicago Card Plus payment methods to the new Ventra system. In the future, consumers will also be able to pay using their smart phones.

I visited the Ventra Chicago website to learn more. The website provides some information about this new fare and prepaid card:

"Cards are issued by MetaBank™, Member FDIC, pursuant to license by MasterCard International Incorporated. MasterCard and the MasterCard Brand Mark are registered trademarks of MasterCard International Incorporated."

This means that both the CTA and its riders will be doing business with MetaBank. Consumers that activate the prepaid debit option on their Ventra card will definitely want to know what bank is used, especially if there are problems or need help. (What could go wrong with a prepaid card? Read parts 1 and 2 about a consumer's experience with a healthcare prepaid card.) Since Money Network is a Ventra vendor, it means that Money Network (e.g., First Data Corp.) will likely perform the payment transaction processing.

You never heard of MetaBank? There is a pretty useful summary of MetaBank at the GetDebit website:

Summary of MetaBank at GetDebit.com

After reading the Ventra Chicago website, I also expected to find the full terms and conditions (e.g., contract) that applies when consumers opt-in to use the prepaid debit option with their Ventra Chicago card. In my experience, details matter with any prepaid card. Often, prepaid cards contain minimums, limits, and/or several fees (e.g., to load money onto the prepaid card, or make cash withdrawals at certain bank ATM network machines). Additional fees may apply if you use the prepaid card at a different ATM network.

In January, this blog reviewed the new AAA card. Like the coming Ventra Chicago card, AAA members can use their new AAA card as an identification card for towing services and discounts, or opt in and activate the prepaid debit option to use the card to make purchases at retail stores. The new AAA prepaid card has a $25.00 minimum to load money onto it, and a maximum monthly limit of $2,500 (or a $10,000 max with direct deposit). With the new AAA prepaid card, each month only the first ATM cash withdrawal is free, and all other ATM withdrawals cost $2.00 each. And, you have to use it at American Express network ATM machines.

I wanted to see if there were similar conditions with the new Ventra Chicago card, but the website didn't say. This is the type of information informed consumers look for, since there are legal differences and rights consumers have with prepaid cards compared to both credit- and debit cards. Informed consumers want to know their rights and specific rules, especially about replacing the funds on lost/stolen Ventra cards. Hopefully, CTA officials will update the Ventra Chicago website soon with the appropriate detailed information, so Chicago-area consumers can make informed choices.

I visited the BBB website to see if its rating of Money Network had changed since last month. It had and is now rated B+:

BBB rating of Money Network

You don't need to be a rock scientist to see that the Ventra Chicago business model is one that can be replicated with public transit systems in other cities across the country. As each system makes decisions about the payment methods they will use, transparency is critical. It is important for transit systems to provide consumers with as much choice, freedom, and privacy as possible with payment options, while minimizing fees and surcharges.

What else is going on here? As I see it, several things. First, banks are trying to capture more customers by targeting both consumers who don't have a bank account (called the "unbanked" in industry jargon), and consumers have a single bank account (e.g., checking or a savings but not both are called the "underbanked) with prepaid card pitches. Second, banking industry research has found that consumers who have used debit cards and were burned with multiple overdraft fees, now view prepaid cards as a way to avoid high overdraft fees. So, banks have targeted these consumers, too, with prepaid card pitches directly or through intermediaries (e.g., government, employers). These consumers often don't realize the limits, minimums, fees, and surcharges that often are included with prepaid cards.

Third, given current technologies it is fairly easy to make plastic identification cards perform the traditional functions plus act as a prepaid debit card. That's why you now see prepaid cards to receive government benefits, and with employer healthcare FSA programs. Fourth, it is no secret that banks perform huge data collection of consumers' purchases with all types of plastic in your wallet or purse: debit cards, credit cards, and prepaid cards. Banks analyze and sell your purchases with other businesses including data brokers. So, if you want privacy, keep using cash.

My advice to consumers is this: anytime a bank or company serves up a strong "convenience" pitch with a prepaid debit card, take the time to read closely the contractl details (e.g., often called the Terms and Conditions), the schedule of fees, and the privacy policy. Those documents will indicate what protections and rights you have (or don't have), and the costs. And, there are five things you should know about prepaid cards.

What is your opinion of Ventra Chicago? Of MetaBank? Of Money Network?


Global Payments Takes $84 Million Charge For Its Data Breach

The Wall Street Journal reported that the Global Payments will cost it $84.4 million. Earlier this year, the Atlanta-based company experienced a data breach where payment information for about 1.5 million credit- and debit-cards was stolen. The breach could cost the company an additional $25 to $30 million in 2013.

There definitely are consequences when companies fail to protect sensitive consumer information.


Global Payments Breach Affects 1.5 Million Consumers

Last week, debit and credit card payments processor Global Payments Inc. announced that its systems had been breached by hackers and perhaps as many as 3 million credit and debit card numbers had been stolen. Global Payments processes transactions for Visa and MasterCard for retailers and card issuers.

In a statement released Sunday, Global Payments revised downard the number of stolen cards:

"... it identified and self-reported unauthorized access into its processing system. The company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported. The investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained..."

The company has not disclosed how hackers breached its systems, nor the duration of the breach. The company's Monday-morning conference call focused on earnings and left little time for questions about the breach details.

The term "Track 2" refers to certain data elements stored in the magnetic strip on the back of debit and credit cards. Also on Sunday, Visa removed Global Payments from its list of "compliant service providers." Forbes magazine reported that the company expects to quickly correct the Visa compliance issue:

"Global Payments chief executive Paul Garcia is quoted in the company’s statement as saying that “We are making rapid progress toward bringing this issue to a close,” and emphasized that all major brands of cards still allow Global Payments to act as a payment processor."

After a breach like this, card issuers (e.g., banks, credit unions, retailers) will usually notify directly those cardholders with stolen account information, and whether replacement cards and accounts will be issued. And the card issuers usually seek reimbursement from the payments processor to cover the costs of issuing replacement cards to consumers.

Another payments processor, Heartland Payment Systems, experienced a much larger breach in 2008, after which multiple lawsuits resulted as card issuers provided replacement cards and accounts. With a reported 800,000 merchants and 3.5% market share, Global Payments is a smaller payments processor, when compared to First Data Corporation's 22.6% market share.

The largest banks, like Bank of America, have subsidiaries with joint venture arrangement with processor First Data to process card transactions. It seems to me that hackers have smartly figured out a way to steal valid credit/debit card information is to attack the transaction processors instead of retailers, like T.J.Maxx, or banks directly.

I called Global Payments to see how many retailers they may have lost already due to the breach and their inability to process Visa transactions. The public relations rep referred inquiries to the company's data breach site: www.2012securityupdate.com, which includes this statement to its merchants/retail clients:

"We are still processing all of your transactions, including Visa transactions, and will continue to work with the card associations in response to this incident."

Time will tell if and how long that continues. The company's breach web site also advises affected cardholders who suspect fraud to monitor their accounts, contact their card issuer, and place a Fraud Alert on their credit reports.

The Global Payments breach highlights the fact that several companies are involved in debit/credit card transaction flow, from the time yo swipe your card until when payment is completed. And, the security of that transaction flow is only as strong as the weakest link, or company, in the flow.


Bank of America Merchant Services And Money Network Announce New Payroll Solution

Earlier this month, Bank of America Merchant Services (BAMS) and the Money Network(R) announced the launch of the Money Network(R) Payroll Distribution Service sponsored by Bank of America. According to the press release on MarketWatch:

"The program enables employers to comply with complex payroll distribution laws, such as the need to offer a paper paycheck and free check cashing locations, while providing a safe and convenient pay alternative for employees who do not have access to a deposit or checking account. With the Bank of America-issued Money Network(R) Service, the payroll process is efficiently streamlined through more than 17,750 Bank of America ATMs and 43,000 Allpoint(R) Network surcharge-free ATMs..."

This is huge news. The benefits for employers are numerous. I'd written previously about a version of this payroll solution at Walmart. Most employers would stop printing paper checks as paycards allow them to avoid check printing expenses. The benefits for consumers seem questionable.

This payroll solution enables companies to essentially provide selected banking services to their employees. Where is the line between a company and a bank? It seems blurred with payroll services like these. Have you asked your employer for check-cashing services? I doubt it. Something else is going on here.

Notice that the press release includes this statement: "for employees who do not have access to a deposit or checking account." The banking industry uses the term "underbanked" to identify consumers that have a checking account or a savings account, but not both. The industry uses the term "unbanked" to identify consumers who don't have both types of accounts.

According to a 2009 FDIC study (Adobe PDF document), only 7.7% of U.S. households are unbanked. Those unbanked households typically make less than $30,000 per year, and 66 percent of them use services with high fees: non-bank money orders, non-bank check cashing, pawn shops, payday loans, and rent-to-own services. The same study also found:

"Minorities more likely to be unbanked include blacks (an estimated 21.7 percent of black households are unbanked), Hispanics (19.3 percent), and American Indian/Alaskans (15.6 percent). Racial groups less likely to be unbanked are Asians (3.5 percent) and whites (3.3 percent)."

Those percentages are probably higher given the prolonged economic downturn of the last couple years. I doubt that BAMS and Money Network targeted this new payroll service at only the 7% unbanked slice of the market. The same study found that about 18% of U.S. households are underbanked. The market for this new payroll service seems to be both unbanked and underbanked consumers who currently use high-fee banking services, plus the upside potential:

  1. More consumers might become underbanked or unbanked during economic downturns,
  2. Employers with operations in developing countries have a larger percentage of unbanked employees,
  3. Employers with a large percentage of seasonal or contract workers, and
  4. If positioned a certain way, the new payroll service could capture more market share from employees that already have both checking and savings accounts

Upsides #3 and #4 worry me. This new payroll service seems to me to be a slick method to force consumers to use certain banks -- to restrict freedom of banking choice. Think of it this way: employees that are paid by their employer via a Bank of America-branded Money Network(R) PayCard, are being paid with a customized debit card. Use that PayCard within Bank of America and Allpoint networks and there are few or no surcharges. Use that PayCard outside of its network, and more fees and charges apply. Where do you think employees will shift their banking to?

If a company uses the Money Network Payroll Distribution Service for all its employees, then those employees who already have checking accounts (at the banks of their choice) either lose their freedom to bank where they choose, or pay more in fees to bank where they choose.

This reminds me of the old "company store" practice from the 1800's where companies forced their employees to shop only at the company store which effectively kept them in debt bondage. Haven't we learned from this history?

Perhaps, we are now seeing the future of banking and the big banks' response to customer fury about checking account fees. The big banks could co-mingle employer payroll solutions with limited consumer banking services -- all without having to highlight the embedded debit/checking fees to consumers and let the employers take the heat. Afterall, employees may not complain if they are afraid for their jobs.

This 2005 State of California study (Adobe PDF) researched the advantages and disadvantages of payroll paycards:

"... Pay Cards give an employee who does have a bank account an alternative to carrying cash or cashing a check, which may require a fee. Employees who do not have bank accounts gain the convenience of using a debit card. However, depending on the program chosen by an employer, Pay Cards may or may not reduce payroll costs for the business and/or for the employees."

This study documented a variety of fees charged to employees' pay cards:

  • Monthly maintenance fee
  • ATM balance inquiry fee (per transaction)
  • ATM in-network domestic withdrawal fee (waived or a limited number of withdrawals per month)
  • ATM outside-network domestic withdrawal fee (per transaction)
  • ATM in-network foreign withdrawal fee (per transaction)
  • ATM outside-network foreign withdrawal fee (per transaction)
  • ATM transaction decline fee (per transaction)
  • Domestic customer service automated inquiry via phone fee (per call)
  • Domestic customer service live-person inquiry via phone fee (per call)
  • Point-of-sale pinless signature purchase fee (per transaction)
  • Point-of-sale cashback fee
  • Emergency cash transfer fee (annual)
  • Emergency cash transfer fee (per transaction)
  • Bill payment fee (per transaction)
  • Funds transfer fee
  • PIN change fee
  • Paycard replacement fee
  • Paycard replacement fee (express delivery)
  • Negative balance fee
  • Account closure fee
  • Duplicate statement fee
  • Research fee (per hour)
  • Tax levy or garnishments fee (per occurrence)

And, all of these fees for employees are in addition to fees the bank charges the employer directly for the payroll service. So, costs for employees go up when multiple fees apply, or to use a payroll paycard outside of the network at the bank of their choice. More fees apply if the employer negotiated a poor deal for its employees. These fees are effectively an economic incentive to force employees to do business at certain banks.

It is easy to find paycard solutions. This guide for employers' human resources department professionals lists ten branded payroll paycard services.

If you think that this is enough, there's more.

Similar to the Walmart Money Centers, the Money Network PayCards are insured by the FDIC (via MetaBank). So, as more employers provide limited banking services, the federal government (via taxpayers) is responsible for insuring more accounts. It would be preferrable for more public discussion about whether we want to insure more non-banks doing banking during a time of limited government budgets. 

My first impression of this payroll solution was that it may be a security issue, since it allows consumers to easily move money around the globe, with Allpoint ATM locations in the USA, Mexico, Australia, and the United Kingdom -- today. In the future, Allpoint may serve more countries. In a world where governments are concerned about terrorism, this payroll solution struck me as a potential security risk.

Then again, this payroll solution could make it easier for employees to send money to relatives in their home country -- assuming the relatives have paycards, too.

After researching this investigative article, I have learned to keep an eye on both Bank of America Merchant Services, and Banc of America Merchant Services LLC. With this latest announcement, I have learned to also keep an eye on Money Network(R), a First Data Company.

What's your opinion? If your employer pays you with a payroll debit card or paycard, please share your experiences below. I've Been Mugged readers are interested.


Details And Transparency Matter As Banks Introduce New Debit Card Fees

While many news sources reported about the plan by Bank of America (BofA) to charge its customers a new $5.00 monthly debit-card fee starting next year, details seem to be scarce. Early reports were short on details, such as this Chicago Tribune report on September 30:

"Customers will pay $5 each month they use a debit card for a purchase. No charge for using BofA automated teller machines. Fee to be phased in starting early next year. Doesn't apply to customers with, for instance, a BofA mortgage or $20,000 in combined BofA and Merrill Lynch accounts..."

As a bank customer, I want to know:

  • The exact start date in 2012 the new fees start
  • Which checking account customers will be affected
  • The rollout schedule (e.g., nationwide or selective by state) for the new fee
  • Ways to avoid the new fee
  • The actions, if any, the bank took to try to avoid charging customers the new fee

Supposedly, customers who use their debit cards only at ATM machines would not be charged the new monthly fee. Now that BofA has raised the issue of monthly debit-card fees, other banks are considering similar new fees. MSN Money reported:

"Wells Fargo begins testing a $3 monthly fee on Oct. 14 in Georgia, Nevada, New Mexico, Oregon and Washington; JPMorgan Chase is testing a $3 fee in Wisconsin; Regions Bank will impose a $3 fee beginning Oct. 1; and SunTrust is already charging a $5 monthly fee for using a debit card."

USAA Bank used these events as an opportunity to emphasize that its checking and debit-card accounts will remain free.

To learn more so I can decide what to do, I visited the Checking Accounts section of the BofA website to read about the new fee. It didn't mention the new fee. I also checked the BofA online Newsroom which did not include any content or press releases about the new fee. When I signed into my online BofA account, the website didn't display any notices about the new fee.

So, I visited a local BofA branch to learn more. The customer service representative I spoke with was very polite and asked me what I knew. I summarized the news reports I had read and asked her for details. She mentioned that the new fee will apply next year to debit-card customers with basic checking accounts, who use their debit card for purchases. I explained to her that I do not use my debit card for purchases due to skimming devicies at many retailers, such as supermarket terminals and gas station pumps.

She then explained briefly that customers with premium and platinum level accounts would not be charged the new monthly debit-card fee, even when using their debit cards for purchases. There was nothing in writing, and the chart of various checking account plans she pointed to did not mention the new fee.

She then asked for my account number so we could review my account. It turned out that I have a Platinum level account, so my account won't be charged the new monthly debit-card fee. While this was good news for me, I know that not everyone has a premium-level account which exempts them from the new fee.

Regardless, I feel that BofA has done an extremely poor job of communicating details about the new debit-card fee to its customers. Maybe other banks have done a better job. BofA used the news media instead of communicating directly to customers, first. Either a bank values its customers or it doesn't. I have the impression that it doesn't.

The BofA hasn't disclosed what percentage of its customers will be affected by the new fee. My guess: Most. After preforming several online searches and reading through at least 16 news reports, I finally found this Time Magazine report which confirmed what I had heard:

"In an email, BofA spokeswoman Anne Pace said the fee applies to MyAccess, Essentials, eBanking and Enhanced accounts. Customers with Platinum Privileges, Premium and Advantage accounts won’t have to pay the fee; these are all accounts aimed at customers with five-figure balances or other big-ticket ties to the bank like a home mortgage. “In addition, Wealth Management/Merrill Lynch and US Trust clients will not be charged the fee...”

So, if you have are rich, have a mortgage or investments with, or have several accounts with BofA, you can avoid this new fee -- and many other fees. If you are poor or don't have much money, well tough luck.

Many BofA consumers are concerned. Some are furious. Some feel resentful because the BofA and other banks received bailouts during the recession, and senior bank executives have received huge bonuses and compensation.

Some view this new fee as expensive. Given high employment in many parts of the country, I agree with this. About 120,000 BofA customers in 50 states have signed an online petition demanding that the bank cancel the new fee.

Some BofA customers have moved their money to local community banks or to credit unions. One Arizona credit union has seen a 20% increase in new applications over the weekend. I would imagine that a larger number of customers are considering a move of their money to a community bank or to a credit union.

I contacted BofA's Public Relations department about this. Spokesperson Betty Riess emphasized the bank's commitment to transparency and clear communications. She mentioned that, "... it's still early on" and the new fee wouldn't start until "early next year." She said that the bank would notify affected customers at least 30 days before the new fee goes into effect, and that the new fee would be rolled out in phases across the country.

Just to be clear, I am not defending any of the banks that plan to charge this new monthly fee. While banks have a right to make a reasonable profit, we consumers have a right to demand quality customer service at reasonable prices. We consumers have experienced lots of price hikes, starting with huge credit-card interest rate increases in 2009. And, the debit-cards distributed by American banks use obsolete technology.

Frankly, the banks have broken consumer trust. BofA hasn't provided me anything in writing about the new debit fees, so they could still change the terms of deal between now and next year. This situation does not promote trust.

What else might be going on? The issues I see:

  1. Double Charges
  2. Lack of Transparency

Double Charges

Consider this: Online transactions are what make the Internet go. In other words, electronic payments are what make buying and selling on the Internet possible, and attractive. With this new fee, banks are screwing around with the electronic economy.

Think of it this way: When you use your debit card to pay online at a retailer's website, the new debit-card fee adds a cost to that transaction for consumers, even though the cost of that online transaction was, in theory, already included into the cost of the retailer's product or service. You could say consumers are getting charged twice.

The double charges definitely apply if retailers don't lower their prices commensurate with the new, lower swipe fees. Will retailers lower product prices given the lower debit-card swipe fees?

The National Retail Federation commented about this, since its members benefited from the legislation that lowered debit-card swipe fees:

“Retailers across the nation are developing a wide range of innovative ways to pass these savings along to their customers with lower prices and better value... Change won’t come overnight, but consumers will definitely benefit... Every time Congress takes a step to protect consumers, the banks use it as an excuse to raise fees. We’ve seen it when Congress limited late fees and overdraft fees and now we’re seeing it with swipe fees. Just as merchants and consumers are about to get some relief, they’re doing it again. That doesn’t mean Congress shouldn’t pass consumer protection laws. It speaks more to the nature of the card industry than to whether swipe fee reform should have been passed.”

I am hopeful that retailers will lower their prices. Lower prices mean greater product sales. And greater sales could translate into more jobs for consumers. So, we'll see during the coming months what happens. If retailers don't lower their product prices, then consumers have been "mugged" yet again.

Lack of Transparency

Since the previously higher swipe fees were paid to the banks by retailers or merchants, the banks seemed to have made a calculation that since they can't charge merchants more, they can charge consumers more to make up the lost revenues. This caused me to think about who receives the debit-card swipe-fee revenues.

So, I searched online for "merchant services," since that is the business function where banks provide banking services to businesses. One link I found was the Merchant Services section of the BofA website, where BofA provides checking accounts to businesses. That read like pretty standard stuff.

A more interesting link I found was a link to a description of "Banc of America Merchant Services LLC" at the Hoovers website, which stated:

"The next time you swipe your card and it clears, you might thank Banc of America Merchant Services. A 2009 joint venture between Bank of America and First Data, it is one of the largest processors of electronic payments in the US. The firm handles more than 7 billion check and credit, debit, stored value, payroll, and electronic benefits transfer card transactions..."

Screen image of Hoovers public page about Banc of America Merchant Services LLC When banks claim that the "economics of debit cards have changed," it's a reference to the banking legislation that capped swipe fees at about 21 cents per debit transaction, from a prior high of 43 cents. Does each online transaction really use 21 cents worth of electricity? I doubt it. Are their administrative costs that high? I doubt it. If their costs are that high, what are they doing to lower those costs? And if they aren't doing anything to lower those costs, then maybe they shouldn't be in business anyway.

So, the BofA outsources its debit-card transaction function to another company: Banc of America Merchant Services. Many consumers might be surprised to learn that BofA outsources this function to another company. Companies often claim that outsourcing is done to lower costs, but in this instance that doesn't seem to be the case, since this outsourcing isn't discussed.

My point: BofA partnered with another company to create a separate company that actually processes debit-card transactions, and it shares in those debit-card transaction revenues. Some people might call this double-dipping. I recognize its partner's name from prior blog posts: First Data.

This raised more questions for me than it answered. I now wonder who gets the revenues from the new debit-card fees the banks plan to charge consumers. Does the revenue from this new fee go to the BofA or to Banc of America Merchant Services? Or does it all go to First Data?

Also, there is the ethical question: Is it right for banks to charge consumers for a transaction function that previously was a merchant services function? It seems to me that the banks should resolve the profitability of their merchant services operations between themselves, transaction processors, and merchants. How might banks do this?

The banks seem very creative at introducing new fees. The banks could have created another new fee for their merchants, and charged merchants directly with this new fee. Or the banks could have lowered their internal costs by outsourcing to different vendors. Perhaps the costs the banks pay to outsourcing vendors for debit transaction costs is too high.

I asked Riess about this and she said that the debit-card fee revenes go to the BofA. She didn't elaborate beyond that general answer. She said she couldn't discuss what actions BofA might have taken to lower its costs before adding the new debit-card fee. She said that she couldn't discuss the questions I raised about Banc of America Merchant Services. I don't know if she couldn't discuss due to a lack of knowledge, or an internal directive.

Consumers might want to ask their banks to explain what debit-card transaction processing venture their bank engages in, and exactly where the money collected from debit-card fees go.

I am not a banking expert, but something funky is going on. It just doesn't pass the smell test.

It seems that rather than try to lower their debit-card transaction costs, the banks "punted the football" and simply want to charge consumers to make up the lost revenues, without explaining to their customers first:

  • Their debit-card transaction processing ventures,
  • The steps they have taken to cut costs so they don't have to raise prices, and
  • The steps they have taken to make up their alleged revenue shortfall with merchants rather than with consumers

This lack of communication indicates that the banks are not being honest nor transparent about what is really going on.

What else might be going on? The New York Times reported:

"Bank of America probably has bigger problems than any of its competitors. So it stands to reason that it would make a bolder move. After all, it is dealing with a pile of troubled mortgages, legal fallout from the sales of bonds made from those loans and questions about how it serviced its home mortgages."

Perhaps, but this does not give the banks a free pass on the questionable merchant-services revenue situation I described above. I'd like to see BofA and its executives act in a more respectful and transparent manner to customers. That means communicating to customers first about what is happening, and acting in an accountable manner for past decisions (e.g., Countrywide, foreclosure documentation shortcuts) without penalizing its customers for poor decisions its executives made.

Resources

If you have decided to move your money out of BofA or your current bank, MSN Money advises consumers to look for banks with "switch kits," and to follow these five steps:

  1. Choose your new bank
  2. Open your new bank account first
  3. Change your direct deposit
  4. Close your old bank account after all outstanding checks have cleared.
  5. Set up automatic payments online at your new bank

More resources to help you find a new bank:

What is your opinion of the new debit-card fees? Or about the double charges and lack of transparency? If you have moved your money to a community bank or credit union, share your experience below.


The Frenzied World Of Companies Collecting Consumers' Financial Histories

Many consumers believe that if you pay your bills on time, keep your (Experian, Equifax, and TransUnion) credit reports accurate, and keep your credit scores high, then all is well. Not necessarily. There are many more companies that track and collect data about consumers financial history.

Chances are, you haven't heard of their names. The Washington Post reported:

"But little attention has been paid to the firms that target consumers outside the mainstream financial system. Often they are students, immigrants or low-income consumers who do not qualify for traditional loans or choose not to use them... they carry particular weight for the estimated 30 million people who live on the margins of the banking system."

Who are some of the smaller firms? Some of them this blog has covered: ChoicePoint, Innovis, RapLeaf, Quantcast, First Data, Acxiom, Intelius, US Search, and Spokeo. Some are data brokers. Some collect website visitation statistics. Others focus on finance or insurance. Some are technology vendors working with ISPs. A prior blog post discussed the variety of brands of credit scores. Some other firms' names you may not have heard about:

"LexisNexis, whose parent company bought ChoicePoint three years ago, handles background checks, tax assessments and criminal histories. Bounced checks can be tracked through Chex Systems, TeleCheck or SCAN. Payday lenders report to a company called Teletrack. Alliant Data compiles information on so-called “installment payments,” industry jargon for recurring monthly fees such as gym memberships. The National Communications, Telecom and Utilities Exchange collects account information for 63 of that industry’s largest firms..."

The accuracy of the information collected by these firms is suspect:

"Arkansas resident Catherine Taylor didn’t learn about the fourth bureau until she was denied a job at her local Red Cross several years ago. Her rejection letter came with a copy of her file at a firm called ChoicePoint that detailed criminal charges for the intent to sell and manufacture methamphetamines. The information was incorrect... Taylor said she has identified at least 10 companies selling reports with the inaccurate personal and financial information, wrecking her credit history so badly that she says she cannot qualify to purchase a dishwasher at Lowe’s. Taylor must apply for loans under her husband’s name and has retained an attorney to force the firms to correct the record..."

And all of these firms do not include social networking websites, advertising networks, and mobile device marketers -- all collect information and profiles about consumers.

Given the long list of companies across several industries collecting consumers' personal information, you could call this a feeding frenzy.


Why Does First Data Know So Much About Consumers?

[Editor's Note: This blog post was first published on September 10, 2008. I am posting it again since several banks have decided to sell consumers' debit card shopping habits, and since consumer tracking has increased greatly during the years. Banks have a sacred trust to their customers -- to serve and protect consumers' sensitive personal information, not sell it all. Guest author William Seebeck has written several posts for this blog. "Bill" and I worked together at Lexis-Nexis headquarters in Dayton, Ohio during the 1980's. Bill sent to me his comment below which he also submitted as a reply to the ZDNet blog post by Tom Formeski about First Data Corporation. Bill's message deserves the widest audience possible, and it includes advice First Data, the big banks, and consumers would be wise to listen to.]

By Bill Seebeck

I'm sure that it is true, as Mr. Capellas states, that he knows more about what we (the American public) are likely to do next than we do ourselves.

However, I hope that Mr. Capellas also knows that he and First Data Corporation hold a special trust as the guardians of that information as it represents the most private of American consumer information.

Why does First Data know so much?

In part it is because First Data Corporation, now a private corporation, represents both sides of most electronic transactions. It represents more than 50% of the banks and other financial institutions that issue credit/debit cards and other electronic instruments. It also represents more than 50% of all merchants that accept credit cards at their stores, restaurants on the streets of America's towns and cities and also on the electronic highway that transits our Internet community. First Data also represents more than 50% of all the ATM's that Americans use every day.

This means that First Data Corporation has knowledge of your bank accounts, credit activity, purchasing data, and much, much more.

I think most Americans would agree Mr. Capellas that as a result of the role your company plays in all aspects of financial transactions that you and your company are in a very unique and most singular position. You hold a sacred trust it seems to guard the privacy of such transactions rather than thinking up new ways to monetarily benefit from the use or sale of this most private information.

Those of us who are pioneers in the use of electronic information and e-payment services believe that companies like First Data should be much more transparent. It is bad enough that America's consumers feel held hostage by the credit reporting agencies, it doesn't need another company to exploit them.

Mr. Capellas, most Americans don't know that you have access to their bank accounts, their store accounts, their phone records and their Internet activity. I strongly suggest that you keep what you and your company know about what is in those accounts to yourself. Show the people of America what keeping a sacred trust is all about.

William B. Seebeck
August 8, 2008. © William Seebeck.


St. Petersburg Times Interview: Heartland's Chief Information Officer

Recently, the St. Petersburg Times interviewed Steven Elefant, the Chief Information Officer Heartland Payment Systems hired after its disastrous data breach in 2009. With 130 million debit/credit card numbers stolen, that data breach was the largest corporate data breach in history. Consumers at banks and credit unions were affected. Several class-action lawsuits resulted and Heartland paid numerous fines, as banks had to reissue debit/credit cards to affected breach victims.

Prior to joining Heartland, Elefant held positions within the U.S. Secret Service and the F.B.I. crimes tasks forces. I found some of Elefant's comments very interesting, as it highlights the global nature of identity theft and fraud. About the person caught and convicted of the breach:

"... Gonzalez was not the mastermind. He was working with organized criminal rings in Eastern Europe, Ukraine and Russia. They will sell your stolen credit card numbers today over the Internet for $5 to $20 apiece. U.S. law enforcement knows exactly who they are but cannot get them extradited. Some of these countries have no cyber crime laws, so they cannot arrest them there..."

Thieves make money with stolen debit/credit card account information when they:

"... sell the numbers to other bad guys who obtain blank cards and an imprinter — used ones are available on eBay or Craigslist — and print their own credit cards or make counterfeit gift cards. They use the cards to buy big-ticket items like a $1,000 TV they sell for $500 to people who don't realize it's stolen merchandise."

About how Heartland's retail clients have responded after the breach:

"We lost very few clients and have been flat since then. So far about 10,000 of our 250,000 merchants have adopted end-to-end encryption."

If you want to learn more about Elefant, there is a good article at BankInfo Security.


FTC Wins $3.6 Million Judgement Against Payments Processor Who Helped Deceptive Telemarketers

This is news I like to read about. Earlier this month, the U.S. Federal Trade Commission (FTC) announced in a news release that a federal court judge had ruled in its favor against a payment transactions processor that had helped telemarketing companies place charges on consumers' bank accounts that consumers did not request nor authorize:

"According to a 2007 complaint filed by the FTC and seven states, Your Money Access, LLC and its subsidiary, YMA Company, LLC, processed unauthorized debits on behalf of deceptive telemarketers and Internet-based schemes that were violating the FTC’s Telemarketing Sales Rule and state consumer protection laws. The companies played a critical role in these schemes by providing access to the banking system and the means to extract money from consumers’ bank accounts."

The states involved with the FTC lawsuit were Illinois, Nevada, North Carolina, North Dakota, Ohio, and Vermont. In October 2008, a default judgment stopped Your Money Access and YMA Company from payment processing for any company that conducted deceptive, unfair, or abusive business practices, as defined in the FTC Act, the Telemarketing Sales Rule, and state consumer protection laws. According to the 2007 FTC complaint (PDF format):

"Since at least November 2003 through on,or about December 1, 2006, defendants, through YMA, offered payment processing services to hundreds of client merchants.... Between June 23, 2004 and March 31,2006, YMA processed on behalf of its client merchants more than $200 million in debits and attempted debits to consumers' bank accounts. Of these attempted debits, more than $69 million were ultimately returned or rejected by consumers or consumers' banks for various reasons, evidencing the lack of consumer authorization."

You can view online the October 2010 judge's order (PDF format). According to BusinessWeek, Your Money Access LLC went bankrupt in 2008. Your Money Access, LLC was located on West Lake Mary Boulevard in Lake Mary, Florida. It operated under several brand names including Netchex Corp., Universal Payment Solutions, Check Recovery Systems, Nterglobal Payment Solutions, and Subscription Services, Ltd. YMA, a wholly-owned subsidiary of Your Money Access, was located at the same address. Derrelle Janey was the President, and Tarzenea Dixon was the Chief Executive Officer of Your Money Access.

The FTC advises consumers to perform these steps if you are billed for products or services that are never delivered:

  • If you were billed on your credit card, write to the bank that issued your credit card at their address for "billing inquiries" (not the address to send payments to). Describe in your letter billing error and amount. Also include your name, address, and account number
  • Your letter must arrive at your credit card issuer within 60 days of the bill that contained the error
  • Send your letter by certified postal mail, return receipt requested. That way, you have proof when your letter arrived at your credit card issuer
  • To support your description, include copies (not originals) of sales receipts with your letter. Keep a copy of your letterfor your records
  • Send your letter to the correct company. For example, if you have a Visa credit card, look on the back of your statement for the correct addres, so you send your letter to the bank that issued your card; not to Visa

The FTC website provides a sample dispute letter. By law, your credit card issuer must acknowledge your complaint in writing within 30 days after receiving your letter, unless the problem has already been resolved. Your credit card issuer must resolve the dispute within two billing cycles (but not more than 90 days) after receiving your letter. You do not have to pay the disputed amount, but you have to pay the rest of your credit card bill and applicable interest charges.

If you paid with a debit card, contact the bank that issued your debit card to see what protections are offered. You may or may not have the same protections as purchases made with a credit card. See the FTC website for additional information if you ordered the products or services via mail or telephone.

 


Impacts Continue From The Heartland Data Breach

Finextra reported:

"Around 5000 First National Bank of Durango customers have been unable to use their cards in stores, although they can still withdraw cash at ATMs. In a notice on its Web site, the bank says: "Please be aware that as a result of a security breach at Heartland Payment Systems that occurred over a year ago, debit cards issued by the First National Bank of Durango may have been compromised. It is important to note that there was not a security breach at First National Bank of Durango, our systems remain secure. The breach occurred at a 3rd party processor."

Reportedly, the First National Bank of Durango blocked payments after several customers contacted the bank about suspicious charges on their bills.

Are these continual post-breach impacts unusual? Experts say that this is to be expected. According to Bank Info Security:

"What happened to First National Bank of Durango is not unusual, says Avivah itan, Gartner distinguished analyst. "Typically the crooks will use stolen cards right after a heist until the looting is discovered and publicized in the media... At that point, the crooks will lie low and not use them because of heightened alerts that will flag and stop their use (e.g. because the cards are on watchlists). Then when time passes and the heat is off, "The crooks will rear their ugly heads and start using them again... Debra Geister, Senior Director, AML and Compliance Services at LexisNexis Risk Solutions, says this scenario is really no different from a sleeper scam, where the fraudsters sit back and wait until an opportune time to strike."

As I've written repeatedly in this blog, identity thieves are smart and persistent. The risks continue as long as the thieves believe that they can use the stolen information successfully, or resell it to others who can use it successfully.

After a data breach with debit/credit cards, banks block accounts and then re-issue cards with new account numbers as needed, since re-issuing cards is expensive. After a breach of sensitive personal information (e.g., Social Security number, birthdate, etc.), companies often offer free credit monitoring services for a year or two. This Heartland post-breach experience casts doubt on both practices since criminals don't magically give up after a year or two.


Heartland and Visa Agree To $60 Million Settlement

After Heartland Payment Systems and American Express agreed to a $3.6 million settlement in December, earlier this month Heartland and Visa agreed to a $60 million settlement. Bank Info Security reported that Heartland:

"... will pay Visa-branded credit and debit card issuers up to $60 million to cover losses incurred from the Heartland data breach. It is the largest known settlement amount ever paid to Visa as a result of a breach, eclipsing the TJX settlement of $40.9 million in November 2007."

Issuers are the banks and credit unions that administer Visa-branded debit- and credit-cards to consumers. Those issuers incurred costs to replace their consumers' stolen cards with secure new cards, and to replace their customers' stolen money. Industry experts estimated that the cost to replace a card is about $20 per consumer. Heartland never disclosed exactly how many consumer accounts were affected by its breach, but experts estimated that the identity thieves stole about $50 million. Heartland processes about 100 million card transactions monthly and more than 330 banks reported that their cardholders were affected.

"The settlement also includes mutual releases between Heartland and its sponsoring bank acquirers on the one hand, and Visa on the other. Heartland will fund up to $59.22 million of the amounts to be made available to Visa and its issuers under the settlement program. Additionally, Visa will credit the full amount of intrusion-related fines it previously imposed and collected from Heartland's sponsoring bank acquirers toward the $60 million maximum funding of the program."


Heartland Settles Consumer Class Action Lawsuits

On Monday, Reuters news service reported that credit card processor Heartland Payment Systems Inc. has agreed to settle its consumer cardholder class action lawsuits related to the company's data breach. Heartland has agreed to:

"... pay up to $2.4 million to class members submitting valid claims. Heartland agreed to pay a minimum of $1 million to class members and take up settlement-related administration costs, including up to $1.5 million for the cost of notice to the settling class. The company will pay up to $760,000 of the costs of attorneys representing the class members. Heartland said it could terminate the deal if costs of notice exceeded $1.5 million, or if it received more than 2,500 requests for exclusion from the settlement class."

The settlement deal includes consumers whose credit and debit cards were compromised between Dec. 6, 2007 and Dec. 31, 2008, plus consumers who have alleged that they have suffered fraud losses.

Last week, Heartland agreed to pay $3.6 million last week to settle claims with American Express Company.


Heartland To Pay American Express $3.6 Million For Breach

Last week, PC World reported:

"Heartland Payment Systems will pay American Express US$3.6 million to settle charges relating to the 2008 hacking of its payment system network. This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year."

Heartland processes credit card and debit card transactions. Typically after a breach banks and credit card issuers incur expenses to delete the compromised credit card accounts and issue new credit/debit cards to consumers. So, it is appropriate for Heartland to reimburse the credit card brands and credit card issuers.

"Heartland has also had to pay out fines assessed by other brands such as Visa and MasterCard. Typically, these card brands levy fines against those responsible for data breaches."

Earlier this year, the company set aside over $12 million to cover fines and other breach-related expenses. In February of 2009, at least two class-action lawsuits were filed against Heartland. By Une, about 31 lawsuits had been filed.


Exhibit B: The Ongoing Cost Of A Data Breach

Internet Retailer reported:

"Heartland Payment Systems Inc. spent about $32 million in the first six months of this year on forensics, legal work and other activities related to the December 2007 database breach that resulted in the theft of millions of credit and debit card numbers, CEO Robert Carr told the U.S. Senate Committee on Homeland Security and Government affairs... Heartland this week also launched E3secure.com, an educational web site about end-to-end encryption technology and the E3 solution."

This is another clear, painful consequence for companies that fail to protect consumers' sensitive personal data. When Heartland first announced its breach incident, the company's stock dropped precipitously.


The Credit Card Industry Struggles With Keeping Consumers' Data Secure

The last few weeks have included a huge increase in identity-theft news. First, we consumers heard on August 17 about the indictment of three hackers -- a Miami man and two Russian accomplices -- in what is probably the largest data breach and theft in the USA. More than 130 million debit and credit card numbers were stolen.

This latest theft of 130 million card numbers covered data breaches from 2006 to 2008 for companies including Heartland Payment Systems, a card payment processor, and retail chains 7-Eleven Inc and Hannaford Brothers. The Heartland breach has affected dozens of banks nationwide.

Second, we learned that this the Miami man, Albert Gonzalez, was also a former government informant for the U.S. Secret Service since 2003 and was already known to government officials, and already in prison for a series of eight retail hacks affecting and additional 40 million credit cards. The thefts of those 40 million additional cards included retail companies such as BJ's Wholesale Club and TJX Companies/T.J.Maxx. So one man (with help from some friends) stole more than 170 million debit/credit cards.

How do three people steal 130 (or 170) million credit cards? Third, we started hearing technical terms like the "SQL injection" technique the criminals used to exploit weaknesses in the way computer system developers write code for credit card databases. According to InternetNews:

"For his crimes, if Gonzalez is convicted in the Heartland incident, he'll face a fine of at least $250,00, and up to 25 years in prison. Gonzalez had servers in California, Illinois, Latvia, the Netherlands and Ukraine..."

Sounds to me like far more than three people are involved. You don't simply set up servers in multiple countries without some help. This theft smells like an organized business. I want law enforcement to capture and prosecute other criminals worldwide (e.g., Hacker-1 and Hacker-2 who are in or near Russia) who aided the thefts and/or resold the stolen data.

Fourth, details then began to emerge about the breaches at specific companies:

"... Dallas-based 7-Eleven, while confirming security breaches, said that only ATMs at some stores were affected... Moreover, the Dallas chain would not say where the affected stores were.... A 7-Eleven statement said the chain became aware of attacks in late 2007, saying they had occurred Oct. 28 through Nov. 8. The indictment said the chain’s network was breached from August 2007... Each card-issuing company made its own decision on what action to take, including replacing cards or putting card numbers on an alert for fraud..."

Like a bad screenplay, we further learned that Gonzalez went by the "soupnazi" online alias and he:

"... reportedly became an informant for the Secret Service in 2003, helping in a sting of a cybercrime syndicate, known as Shadowcrew.com. But afterward, Gonzalez re-established his own hacking group, called "Operation Get Rich or Die Tryin," according to Threat Level..."

Perhaps most troubling:

"Accomplices to the crimes are believed to be on the loose in Russia or other countries where U.S. authorities are less likely to get them. And the underlying security holes mined by the hackers still exist in many payment networks."

Most of this was summarized nicely in the New York Times:

"The financial stakes are getting higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research."

You may remember that the breaches at Heartland and Hannaford occurred while both companies were supposedly within compliance to security requirements. Again, from the New York Times:

"Those standards were set by a council that includes the world's two largest credit card networks, Visa and MasterCard Inc; fast-food leader McDonald's Corp; oil major Exxon Mobil Corp; and big banks Bank of America Corp and Royal Bank of Scotland Plc... Yet some 5 percent of the largest retailers and restaurants still have not met compliance deadlines set in 2007, according to Visa."

Clearly, the security standards are insufficient and need to be strengthened. Then, we learned that J.C. Penny, Target, Boston Market, DSW, Office Max, Barnes & Noble, and Sports Authority were affected by the Gonzalez-led breaches. By the end of the week, Gonzalez pled guilty to several charges about the breaches, and would get a maximum of 25 years in prison.

Meanwhile, the banks, credit card networks, and retailers argue about the appropriate security standards and who should pay. What should consumers do?

We consumers can't control the squabbles between the banks, credit card networks, and retailers. We can control which cards we use and when. My advice is this:

  1. Shop online with your credit card, since that gives you more protection than a debit card.
  2. If you can, use cash for in-store purchases, or use a credit card. Why? Retailers are not honest and transparent about informing consumers of breaches or about which stores in their chain are problematic. (Remember, not all states have data breach notification laws.) And, the credit card industry still hasn't solved its security problems. See this blog post above.
  3. Use your debit card at your bank's ATM machines. Regardless of those entertaining Visa and MasterCard advertisements on television, the system isn't as secure as it should be. I avoid ATM machines in convenience stores, and try to use ATM machines only in my bank's branches.
  4. Review your monthly credit card statements, since some fraud shows up as tiny charges first (e.g., 25 cents) and since you may spot fraud first. Don't rely on your bank spotting it first. If you spot fraudulent charges, report it quickly to your bank or credit card issuer.

Updates On The Heartland And RBS WorldPay Lawsuits

When I have read news reports during the past few weeks, I get the impression that executives at Heartland Payment Systems and some banks are happy to act as if the Heartland data breach never happened; to avoid telling credit cardholders details about the Heartland data breach. To me, this attitude is totally unacceptable. Plus, several states require the notification of consumers.

On Thursday last week, SC Magazine reported:

"A federal court body ruled this week that litigation facing two payment processors, Heartland Payment Systems and RBS WorldPay, will be consolidated. In separate judgments, the U.S. Judicial Panel on Multidistrict Litigation decided this week that lawsuits against Heartland will be heard in Texas, while action against RBS WorldPay will be moved to Georgia. Thirty-one separate lawsuits, on behalf of consumers, investors, banks and credit unions, have been filed against Princeton, N.J.-based Heartland, which disclosed in January that its systems were breached. Heartland did not say how many records were compromised, but some estimates placed the number around 100 million, making it the largest reported data breach in history."

That would make Heartland's breach bigger than the TJX Companies / TJ Maxx data breach (90+ million records). I am watching these lawsuits closely, since Heartland was supposedly PCI compliant while its breach occurred. I also believe that the immense size of these data breaches warrants strong consequences for the executives at both companies. Monetary fines, and a temporary removal from Visa's list of PCI-compliant firms, are not strong enough consequences.

All of this has consequences for consumers. In yesterday's blog post, the Associated Press summed up the situation for consumers: every time you pay with plastic, chances are that retailer is gambling with your sensitive personal data.


Another Consequence of the Heartland Data Breach

When banks and credit card issuers provide replacement debit/credit cards after a data breach, this negatively impacts the restoration of online payment arrangements by consumers. From the Washington Post:

"The data breach last year at Heartland -- a company that processes roughly 100 million card transactions a month for more than 175,000 businesses, has forced at least 600 banks to re-issue untold thousands of new cards in a bid to stave off fraud. For consumers, receiving a new credit or debit card number means contacting companies that have those credentials on file to charge for monthly or periodic bill payments. Less well understood, however, is the economic impact that large scale processor breaches and the inevitable waves of re-issues by banks may have on companies when customers simply fail to reset that automatic billing when they receive a new card number."

The WaPost story focuses on a company that is seeing a $1 million impact from the consumer card turnover. Multiply that by thousands of small and medium-sized business and you are describing a huge, on-going financial impact. The article explores some of the reasons why consumers don't restore their online payment arrangements with their new debit/credit cards:

"The trouble is that convincing customers who had once set up auto-billing to reestablish that relationship after such a disruption is tricky, as many people simply don't respond well to companies phoning or e-mailing them asking for credit card information..."

Like you, I am a consumer. My list of reasons why consumers don't restore their online payments with replacement debit/credit cards after a breach:

  • Resentment: breaches inconvenience consumers. While banks and credit card issuers provide replacement cards, it is consumers that bear the burden -- time, effort, and money -- to contact retailers to restore online payment arrangements.
  • Preoccupied: consumers are busy. Young parents are busy raising families. Professionals are busy with their jobs and business travel. The work to restore online payments is prioritized against other important household responsibilities. If the consumer has already experienced fraud on their card account, then even more work is required before they can restore online payment arrangements.
  • Broken trust: breaches like Heartland's tell consumers that their bank -- or its contractor -- hasn't protected their sensitive personal data like they should. That causes consumers to not use their debit/credit cards.
  • Lack of personal attention: a standardized, nameless form letter of notification tells consumers that their bank or credit card issuer is doing the absolute minimum, and probably doesn't care.
  • Poor Customer Service: low online payment restoration rates are inevitable if the bank or credit card issuer's customer service is reactive or ill-prepared. This includes a bank's web site that is not updated or does not contain the necessary information to help consumers restore their online payment arrangements.
  • Lack of transparent notification: when banks, credit card issuers, and processors like Heartland are slow or reluctant to release details about the breach, trust erodes. Consumers expect and deserve open, honest and direct communication. Poor communication causes consumers to conclude that breaches are likely to happen again. The attitude becomes: I won't bother to restore online payments because another breach is likely.
  • Reduced access to credit: banks and credit card issuers have raised the interest rates on their cards, reduced limits, and imposed new or higher fees. These actions discourage consumers to use their cards.

As I reread this list, it occurred to me that this is also a pretty good list for consumers to use when deciding whether or not to switch their bank.

What do you think? If you have received a replacement debit/credit card after a breach, did you restore all of your online payments? And why, or why not?


Data Security: PCI Is Not Enough

This TechNewsWorld article should make consumers pause before your next visit to the mall to shop with your debit/credit cards:

"It's evident that PCI compliance is not enough to fully protect credit card transaction data. Major fiascos such as the infamous Heartland, RBS WorldPay and TJX data breaches will continue to occur unless the system is fixed. One possible solution? Protection that starts at the database level... Although the exact details of the Heartland breach and compliance issues have not been made public, it is widely believed that credit card data was exposed and non-compliant during its time on the Heartland server. It is staggering that retailers and others processing credit cards are required to protect all transactions in order to be in compliance with the points of PCI, yet once the transactions get to the "super-processors" such as Heartland, these requirements are apparently not systematically enforced -- or even required, at some points. The more data you handle, the lower the security bar, or so it seems."

To address this mess, Heartland is proposing end-to-end data encryption. I am a consumer and not a data security expert, so I have no idea if that will work, or if heartland is blowing more BS. Regardless, this trend seems very important:

"The more sinister threat environment, which has emerged over the past two years, involves well-organized criminal gangs that grab data with the sole purpose of using it fraudulently. The "2009 Verizon Data Breach Investigations Report" outlined the change, finding that 93 percent of all electronic records breaches occurred in the financial services industry, with 90 percent of the breaches tied to organized crime."

Now that consumers have been thoroughly warned and trained about phishing attacks (e-mail and Web sites), identity thieves have focused their attacks on sites where the money is: banks and retailers.