Positioning your Institution’s Response in the Face of Data Breach
Unless you’ve been living under a rock in North America, it’s pretty hard to have missed news of recent high profile data breaches.
I’d venture to say these stories have made their way into the wider, global purview (note: as I write this, another report regarding a massive data breach in South Korea affecting 20M cardholders was released). While the number of retailers and account holders impacted by these events continues to increase and make headlines, issuers and merchants alike must address ways to instill confidence in their customers in short order.
Upon hearing this type of news, cardholders immediately think “Was I impacted? What do I need to do? Will my account be closed? Will I get a new account number and new debit or credit card?” These and many more questions likely flood the support lines as customers want to understand their real-life implications and steps they need to take to protect themselves.
When associations, banks, issuers and retailers identify significant and/or high profile data breaches, they must first identify the nature of the problem, recognize the potential impact and then develop the correct course of action for their institution. Following this, they need to best determine how to communicate with their impacted customers. When financial institutions have a well-coordinated strategy (i.e. email, SMS, voice, mobile app, etc.) in making their customers aware of the institution’s vigilance, posture and plan, they win. It goes beyond just reassuring a customer, it is an opportunity to assert a distinctive leadership role in the marketplace.
In instances where a mass block and reissue event is warranted, proactive communication — identifying the problem, how it’s going to impact your customer and what you’re doing to put it right — can be an opportunity to stand out as a financial institution, distinguished in your customer relationships. When a breach is made public, the ability to keep your customers informed, via multiple channels, whatever the event or scenario, can be true differentiator in customer satisfaction, and speed to response. For banks and processors who are solely evaluating high profile breaches through the lens of a risk or security response, this can be a segmentation opportunity.
An unfortunate reality of being in the payments business is fraud. Most in the industry accept that these events can and do happen. A lot. I would say that there were at least many hundreds (if not well into the thousands) of data breaches last year of varying size, some which are never reported, some that are reported and then intentionally buried. In fact, a recent Infosec study suggested that 57% of malware self-detected in business was not reported. Further, law enforcement believes they only have visibility to a fraction of these breaches. These incidents happen to businesses of all sizes, in many geographic locations and when you are in the trenches of fraud monitoring, these are constant issues that may require your attention. they’re exhausting and so common, recently “breach fatigue” was coined to describe the condition.
The expectation that breach fatigue is something new, however, shouldn’t be. One of the most sound things said over the last few week came from a sage veteran law-enforcement officer who now only consults for banks…and we’ve heard this before; the working assumption should be that all cards may already or at any time be breached, at risk and carry the potential for fraud. Using this as a baseline assumption, and then utilizing another industry standard of layered security/controls, issuers should be able to assume the posture to manage this situation effectively. The position is this: that the financial services industry can set controls that are tied to this specific breach, as well controls that are tied to the one that came before it and finally create controls that will protect us from the next one. Deploying a risk-based, compromise-centric and layered framework is one way to prevent data breaches from stunning us in the future.
Coupling that with a proactive customer communication management plan is paramount and elevates that framework. This combined path best positions the institution in support of their customers and against the fraudsters who are trying to exploit the system. Breaches are now quite common, but the response to them is what makes an institution uncommon in the environment.
Related Blog Posts
How to be a Payments Trailblazer – The Seven Habits of Highly Innovative Organizations
The new Culture of Innovation Index from Ovum and ACI identified segments—from banks to intermediaries to merchants to corporates—at the cutting edge (of innovation) across the payments ecosystem. But what is most notable about those segments that have reached ‘trailblazing’ status is the apparent lack of commonality between them. No one segment, nor one region fosters better innovation. In fact, what’s driving these segments/organizations to be best of breed is their own culture of excellence. The only thing they have in common is their attitude.
Customer Innovation: Erste Bank [Q&A]
The global banking sector is becoming both more strategically focused and technologically advanced, responding to rising consumer expectations while trying to defend market share against an increasing array of competitors. A great deal of emphasis is being placed on digitizing core business processes, and reassessing organizational structures and internal talent to be better prepared for the future of banking.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Issuing and Acquiring in a Real-Time and Open Payments Ecosystem – The Global Picture
Dr Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments, stemming from the findings of the new white paper, Get More from Real-Time. See part one.
Four Questions to Drive Your Retail Banking Payments Strategy in 2019
I keep hearing that it’s “an exciting time to be in payments,” and I certainly agree that there is a lot of noise. However, when I look below the surface, I’d argue that the interesting activity is not with the payment itself, but with all the related events and steps in the value chain.
What Can the Re-Regulation of Other Industries Tell Us About Open Banking One Year On?
UK Open Banking just reached its first birthday milestone (on January 13 to be precise) and given my own commentary – including in the ACI blog – on this topic, the first anniversary of Open Banking in the UK certainly won’t pass without a debrief on the progress that’s been made and what challenges lie ahead.
Instant Payments in Italy – And Beyond: Lessons from Il Salone dei Pagamenti
ACI was invited back to Il Salone dei Pagamenti – Italy’s premier payments event organized by the Italian Banking Association (ABI) – to participate in a panel, “SEPA Inst – the Future.” As expected, the session was packed with stats and advice for a more efficient roll out of instant payments – in Italy and beyond.
To Regulate Or Not To Regulate – Is That Thy Question?
Debates are healthy, and as someone who spent a little time during my college years dabbling around the edges of the speech and debate team, I can tell you it’s something that I personally relish. A chance to really talk through the pros and cons of an argument and lay out the bare facts… and then be judged based not only on those facts, but on the presentation and power of persuasion—sign me up!
Request for Pay – What Does It Mean For Financial Institutions?
What do banks – one with $60B+ in assets, one a mid-size regional bank, and one, a small innovative credit union – have in common with payment networks and the ‘Big 4’ consulting firms? They were all part of the first ACI #PaymentsForBreakfast event in North America! The theme was real-time payments, but the focus was more specifically on Request for Pay.
Why Open Banking Might Need to Rely on a Magic Illusion of 24x7 Availability
The adage “the more things change, the more they stay the same” appears to ring true when applied to the early phases of the evolution of open banking (or open payments). Especially when you contrast it with the early days of ATM withdrawals; particularly those made in the dead of night so you could pay cash for your after-party greasy feast.