September 21, 2017
By Grant Olson, Founder, Great Authorization Opportunities
The Equifax Data Breach of up to 143 million data records is much different than the 100 million credit cards stolen in 2013 and 2014 from Target and Home Depot. The prior credit card breaches resulted in a big spike in credit-card declines that normalized around four months after each breach. Millions of card numbers were quickly sold on the dark web and used fraudulently, resulting in an immediate proactive reissuance of new card numbers by many large banks.
The Equifax breach of social security numbers and other important personally identifiable information (PII) will likely result in a spike in account takeover (ATO) fraud. Criminals will use the detailed personal information to take over existing accounts and open new accounts. Unlike the prior retailer data breaches where new card numbers were quickly issued, social security numbers are permanent which means the fraud that results could continue for years—possibly decades—as this info permeates through the dark web.
For subscription-based CNP merchants, the nature and scope of the compromised information will have several serious repercussions:
- More credit card and ACH declines due to fraud – As fraud occurs on payment cards and bank accounts, we should expect more payment declines as accounts are closed due to fraud. While the Account Updaters (AU) will be a huge help in providing new card numbers in an automated manner, additional declines still result because not all banks participate, consumers opt-out of the AU, and many updates do not arrive before payments are declined.
- More credit card declines due to tighter authorization rules – Each bank has the discretion to set their own parameters defining whether each unique payment will be cleared or declined. An increased risk of fraud results in tighter parameters and more declines.
- Increased Account Updater fees – Card brands charge to provide each new card number, expiration date update, and for account closure notification. Merchants that run AUs will pay more for additional updates due to the Equifax data breach.
Here are a few actions CNP merchants should take to minimize the impact from the Equifax Data Breach:
- Monitor fraud declines – Many large banks like Chase use the generic “530-Do Not Honor” decline code for fraud, which makes it a challenge to determine how many declines are the result of fraud versus other decline reasons. Fortunately, some banks still use fraud-specific decline codes such as the “502-Lost/Stolen,” “501-Pickup,” and the “806-Restraint.” Tracking these fraud decline codes closely going forward should help track the impact from the Equifax Data Breach.
- Implement decline-reduction best practices – Recurring payment declines result in increased attrition, customer service costs, delayed cash flow, rate reduction requests, credit requests, and other costly customer friction. Data breaches underscore the importance of Account Updater, payment recycling, hybrid decline code configuration, payment decline communication, and other decline reduction strategies. Acquirers are a resource for best practices, but often acquirers don’t have the bandwidth, knowledge or alignment to help merchants develop a comprehensive decline reduction strategy. Often hiring an independent specialist will allow you to quickly and cost-effectively address opportunities to retain more customers and increase revenue.
- Watch for fraudulent new accounts – Breached data may be used by sales partners to generate commissions on fake new accounts. Merchants need to be very careful in monitoring new business partners–especially those that get paid to generate new accounts online. All businesses are more at risk of fake account scams due to the easier access to social security numbers and other PII.
- Prevent account takeovers – Merchants should evaluate financial and security vulnerabilities from criminals taking over existing customer accounts. Merchants need to be proactive and anticipate an increase in ATO fraud attempts.
- Password reset vulnerabilities – The PII leaked in this intrusion includes names, addresses, dates of birth, social security numbers, driver’s license numbers, and employer information. Merchants need to look through the PII fields included in the Equifax data breach to ensure that they don’t ask for this info as part of automated or manual password resets – both for employees and customers.
- Application vulnerabilities – the Equifax application flaw was in a popular open-source software package called Apache Struts. Sadly, the flaw was identified back on March 7, 2017 and Equifax did not install a patch that would have fixed the known security issue. All web-facing applications need to be reviewed to ensure latest security patches have been installed.
The full scope of the damage incurred by subscription merchants may not be tabulated for years. Here are the five major decline producing events that the Equifax Data Breach will be measured against:
- Target data breach – The breach of 40 million credit cards caused declines to spike starting in December 2013.
- Home Depot data breach – The breach of 60 million cards caused a decline spike starting in October of 2014.
- EMV chip conversion – Banks started a full-scale conversion to EMV chip cards in April of 2015 which lasted nearly a year.
- Costco conversion from AMEX to VISA – This 11 million card conversion caused a spike when all cards were cutover on the same day on June 20th, 2016.
- USAA conversion from MasterCard to VISA – the 15 million USAA card conversion from MasterCard to VISA started in February 2016 and the USAA conversion took nearly a year.
My prediction is that the Equifax data breach will not produce a huge spike in payment declines and the impact will be similar to the EMV Chip Card conversion—a new normal of additional declines that will start in a few months and last a year or two. The ATO and new account fraud should be concerning to all merchants as well.