For banks, the most obvious reaction to the recent compromise of 40 million cards at Target stores would be to re-issue credit and debit cards to all customers who shopped at the retailer. But this approach doesn't seem to be universal.
Data thieves are already selling the card data on underground websites as fast as they can. The breach affected all 1,800 Target stores between November 27 and December 15 of this year.
Many banks are likely to take a wait-and-see approach, says Brian Krebs, the security blogger who broke the news of the Target breach.
The expense and inconvenience of canceling old cards and issuing new ones, and the major inconvenience to consumers during the biggest shopping season of the year, are among the deterrents to reissuing the affected cards.
"People still need their cards, so card companies are not looking to shut them all down," says Brian Riley, senior research director at CEB TowerGroup. "Banks can mitigate the risk by torqueing up their fraud filters. There are sophisticated ways for card companies to box their way through this."
Large banks' fraud analytics systems should be enough to avert fraud without canceling cards, Riley says.
Card issuers will flag the accounts of customers that have shopped at Target and then use fraud mitigation software such as FICO Falcon to look out for unusual behavior at point of sale terminals and ATMs.
The card not present scenario is more of a challenge than fraud at the point of sale, Riley notes. For hackers, using stolen card data online is much simpler than shopping in a store with a card that's known to be compromised.
Small banks with less advanced fraud filters may need to reissue cards for their affected customers, however.
Target-shopping consumers should be canceling their own cards, Riley says. "What consumers need to protect against is the surprise that happens when you're at dinner and you're paying with the one debit card in your pocket and finding there's a challenge," he says. "It's much better to be proactive than to wait for your card issuers."
Dave Fortney, senior vice president of product development and management at The Clearing House, says affected banks will have to re-issue breach-affected cards.
"This has happened enough times that the card issuers have an established process for what to do in the event of a big data breach," he says. The process includes adding staff, producing mass volumes of cards and mailing them out.
"If 40 million cards were impacted, that's a lot of cards that have to be produced, it certainly can't all be done overnight," Fortney says. "It will take some time," especially since at this time of year the postal service and overnight services are already at maximum capacity, he says.
"Banks will be working through the holidays, there will be people in the call centers who were not planning to be, working around the clock to do this as quickly as possible," he says.
Banks' card fraud analytics systems are sophisticated, Fortney agrees. "I've personally had things caught by those systems that I'm glad were caught someone had somehow gotten hold of my card number," he says.
But if a bank is certain someone's card was compromised, it's likely to reissue that card and perform fraud screening until the customer receives and registers the new card, Fortney says.
Customer service will be important to handling this data breach. "A lot of customers will be reading these stories, calling their banks, and asking about any suspicious activity," he says. "There's a huge emphasis on having call centers at maximum capacity."
Target will need to reissue its RedCards as well, he says. The RedCard is Target's loyalty credit card, which can also be tied to a bank account and act as a debit card. "I did notice on their website that they're telling customers, 'if you have a RedCard, don't call your bank, call us," he says.
Some consumers won't want use their bank cards or RedCard at Target out of fear.
Long-term, Fortney says tokenization is the way to prevent card account data breaches. The customer would receive a one-time use token with which to make purchases rather than a static account number. Some banks are considering this approach for mobile payments.
And while some have posited that this breach shows the need for more modern, digital currencies like Bitcoin, Fortney says the current payments system has it all over digital currencies.
"Can you imagine if someone hacked into Bitcoin?" he muses. "Old world payments are 100% guaranteed. Who would you even call if your Bitcoin code went wacky and you just lost $1 million?"
Adam Williams, Diebold's chief security officer, also says banks should send out new cards to affected customers.
"I'm a firm believer that when there's uncertainty you reissue," Williams says. His family has shopped at Target, and he has already cancelled his credit card. "I would prefer to go a couple of days with an inconvenience than wait around and see."
Banks can suspend RedCard activity to certain accounts on an interim basis to protect consumers' financials, he says.
He also agrees that this is a terrible time of year for that.
"There probably couldn't be a worse time of year," he says. "Especially for me, as I haven't done some of my Christmas shopping yet."