Helping Issuers Manage Consumer Expectations About Data Security

“Breaches are pretty much a daily occurrence now,” says Jonathan Hancock, Director of Fraud Management Solutions for TSYS, “and consumers who haven’t been hit personally are numb to the news.” But here’s the great irony: When something does happen, consumers blame the retailer, but expect issuers to fix any problems that occur. Hancock takes the learnings from a recent TSYS study on consumers and data security, and turns it into a simple three-step program for all issuers to follow.

 

“Breaches are pretty much a daily occurrence now,” says Jonathan Hancock, Director of Fraud Management Solutions for TSYS, “and consumers who haven’t been hit personally are numb to the news.” But here’s the great irony: When something does happen, consumers blame the retailer, but expect issuers to fix any problems that occur. Hancock takes the learnings from a recent TSYS study on consumers and data security, and turns it into a simple three-step program for all issuers to follow.

 

PYMNTS |You have recently released the findings from TSYS consumer awareness data security study about how consumers feel about data breach accidents. One of the findings is that consumers often think merchants are at fault when a breach occurs, but expect the card issuers to make it all better for them. Did this surprise you?  

JH: No, this didn’t surprise me at all. Consumers have a relationship with their card issuer, and while they do have a transactional relationship with the merchant, it’s a completely different type of relationship. I would say that cardholders blame merchants for the compromise of their data, but they expect their card issuer to fix it for them. That’s exactly what our survey confirmed.

People generally feel that their bank has the ability to cover the cost of any fraud associated with the merchant breach, and they expect any losses to be refunded by their issuer or bank. Our survey revealed that consumers would even go so far as to change their bank or issuer for better security against fraud – quite a clear message to issuers on how they can differentiate themselves within the industry.

PYMNTS | How are consumers’ shopping habits impacted by their awareness of breaches?

JH:  I think they certainly are impacted in the short term. I’ll also say that this really has only happened recently. For example, in the media aftermath, Target stores saw a significant decrease in sales, about 25 percent below their expectations. Cardholders stopped using their debit cards in the stores. I think Target has been proactive in addressing the issue, have seen the worst of the fallout and are well on their way to recovery.

Most breaches are pretty much a daily occurrence now. Consumers who have not really seen a financial impact are becoming numb to them. I don’t think they’re spending habits have really been impacted.

 

PYMNTS | So, what’s an issuer to do?  What are the top 3 recommendations you’d give them about how to address consumer concerns related to payment security?

JH: That’s easy: educate, authenticate, and empower.

Educate in terms of making cardholders aware of the fraud management tools that issuers have invested in to show consumers that they take cardholder security and that they’re being proactive in protecting them against fraud. If issuers are contemplating issuing EMV chip cards with PIN or signature, let cardholders know why. Communicate rollout plans to them, because it’s the start of a solution that really will protect them against counterfeiting and card-present lost and stolen fraud. If issuers deploy risk-based 3D secure solutions, same thing. Educate the cardholders on why their doing it, what it’s for, how it works, and what they can expect when they use their card online. Make them aware that they may need to enter a password for particularly high-risk transactions.

In terms of authentication, authenticate customers at all account access points from new account opening across the maintenance points to the transaction end points. If issuers are deploying chip cards, our recommendation is that they require consumers to use a PIN to verify that it is the cardholder making that transaction – otherwise they could be to susceptible to lost or stolen card fraud. Customers will warm to it. They’re very much in tune to signature in the moment, but as soon as PIN starts rolling out, as they see it happening in Europe and elsewhere in the world, they will want to use it because they see it being a more secure method.

Finally, for empowerment, deploy solutions that give power to cardholders. For example, using mobile applications that can turn a card on or off. Communicate with cardholders – use a two-way SMS immediately after a high-risk transaction is performed to ask them to reply with a “yes, this was me” or a “no, this wasn’t me.”

 

PYMNTS | What more can the payment industry do to protect card holder data, other than making it more difficult for compromised data to be used by fraudsters? 

JH: There are number of things that the industry can do to protect cardholder data. For one, make it more difficult for fraudsters – and that really is a key industry initiative at the moment. Tokenization of cardholder data across the payment network will devalue the data, making it completely useless to fraudsters if they were to get hold of it. And it will certainly play a key role in payments system security as tokenization gains transaction across the payments network.

But tokenization on its own is really not a silver bullet. Having the right security and protection in place is critical. The industry can also deploy consumer awareness campaigns at a state or country level. Individual issuers can use media campaigns to attract customers by demonstrating that they are actively working to protect them against fraud, or that they have security in place to protect e-commerce transactions.

Finally, I think we could also do a lot more with local and national government to run awareness and education campaigns, also with the schemes and large processes to make it easier to share data within the industry on fraud attacks so that we can get into that data and work to prevent it from happening. Also, working with the law enforcement agencies like the U.S. Secret Service and FBI to provide them with data and insight into fraud attacks. The U.S. Secret Service, for example, has outstanding intelligence and analytical capabilities as well as a global reach. They have the authority to track down and apprehend fraudsters.


Jonathan Hancock - Director Fraud Management Solutions - Global Product Group at TSYS

Jonathan Hancock
Director Fraud Management Solutions, Global Product Group, TSYS

Jonathan Hancock is director of Global Fraud Management Solutions at TSYS. In his current role, Jonathan is responsible for setting and driving the strategic development of TSYS’ existing fraud management solutions to TSYS processing clients, along with solution innovation and new product development. Prior to joining TSYS in 2009, Jonathan’s career in payment card fraud prevention included leadership positions at Barclaycard, Travelex and Visa Europe.


To find out more on the true cost of data breaches, the results of the TSYS consumer awareness and expectations study, and the best ways for issuers to effectively educate and protect consumers when dealing with payments security, download the white paper below.

Download_Here

To listen to the full podcast, click here.