Target Corp.'s massive holiday-season data breach touched card issuers of all sizes, including banks as small as StonehamBank, which leveraged technology it refers to as a "digital" employee to manage and replace exposed cards.
The $462 million-asset bank used data and business process automation software called FoxtrotOne, developed by Enablesoft, to automatically adjust spending limits and issue new Visa debit cards within about 48 hours of learning of the breach. The bank replaced about 1,000 of its 8,000 cards.
"Whether it's one card or a thousand, we use the same process to respond to a breach, so there is an element of consistency for the consumer," says Rule Loving, assistant vice president of operations systems for StonehamBank, which has two branches in the Stoneham, Mass. area.
"If we were to hand-punch those numbers, I guess I could do one per minute, but with this system we can do six each minute and never make a mistake. We were able to issue a thousand cards in about six hours that way," Loving says.
After StonehamBank receives a report from Visa warning of a breach and provides a list of exposed cardholders, the bank uses FoxtrotOne to search for active cards from within Visa's list of potentially exposed cards. FoxtrotOne then creates a customized message that tells affected consumers about new transaction limits and to expect a replacement card. This message goes out by mail and e-mail.
"The program changes the status on a card and reissues the cards. Whatever keystrokes are involved in the process, FoxtrotOne does that automatically as if it were a person," Loving says. "The program was up and running and I was doing other jobs."
FoxtrotOne integrates with the bank's core processing system to enable mass updates in the card records and data that drive the reissuance. FoxtrotOne is also accessible at the core systems' presentation layer, enabling non-IT staff to use the program.
"In the case of StonehamBank, they already had the scripts that we had written to change the card limits, reorder and shut down cards, all they had to do was feed in the data from the breach report," says Richard Milam, the founder and CEO of Enablesoft.
After Target confirmed that card data from about 40 million accounts had been exposed, almost half of all U.S. banks began reissuing cards. JPMorgan Chase, for example, said it needed to replace 2 million cards that were used at Target when the retailer was vulnerable.
"Reissuing all cards is costly, so quickly and accurately identifying which cards to replace is a key step in the process," says Zil Bareisis, a senior analyst at Celent.
How a bank handles a security incident can be an important differentiator, Bareisis says.
Smaller issuers, which typically have less technology scale and resources compared to larger institutions, may have an advantage when responding to large-scale breach events, says Julie Conroy, a senior analyst at Aite.
"It's much easier to reissue 900 cards, and even do so in a personalized way, than it is to reissue millions of cards, a process that will span multiple months for the large banks," she says.
The Target breach has also drawn attention to EMV-chip cards, which are harder to counterfeit than magnetic stripe cards. Target has accelerated its own EMV migration in the wake of the breach. Some U.S. banks have started issuing EMV cards in recent years, but EMV debit has been stalled in the U.S. as the country's debit networks sort through legal and technological issues of routing EMV debit transactions.
"So far only credit EMV cards have been issued. We do not issue credit cards," Loving says. "But what is often forgotten is that for probably years, EMV cards will also have mag stripes on the back so they can be used either way. Thus I would say our process will not change until the card is only EMV and has no mag stripe on the back."