Skip to content
BOL Conferences
Page 1 of 2 1 2
Thread Options
#669544 - 01/22/07 05:39 PM TJX Breach
MikeJ Offline
Member
MikeJ
Joined: Nov 2002
Posts: 76
MA
Curious as to the impact being felt and whether other bankers are reissuing or monitoring?
_________________________
Expressions posted here are not necessarily those of my employer(s).

Return to Top
eBanking / Technology
#669556 - 01/22/07 05:49 PM Re: TJX Breach MikeJ
C_Groat Offline
Member
Joined: Mar 2006
Posts: 70
Salt Lake City, UT
I have seen little fraud thus far and will continue to monitor and make adjustmens to strategies as necessary.

Return to Top
#669576 - 01/22/07 06:08 PM Re: TJX Breach C_Groat
JD in JC Offline
Junior Member
JD in JC
Joined: Jan 2007
Posts: 35
Wisconsin
I've read that fraud associated with this type of activity may not appear for some time as the intruders know that banks and customers will probably be very diligent in the first handful of months that follow.

For us (a CB of about $500M in assets and limited resources in our card processing area), we will close and reissue as a result of this breach. In the past some of our customers demanded that their cards remained open so that they weren't inconvenienced. On almost every occasion fraud was conducted much later and the bank suffered loss, both monetarily and from a reputational standpoint.

We will probably revise our procedures to not permit any compromised card to remain open.

We're oh so comforted by TJX's disappointment over this breach...
_________________________
- Just because something is legal doesn't make it reasonable or right -


Return to Top
#669581 - 01/22/07 06:12 PM Re: TJX Breach JD in JC
JacF Offline

Power Poster
Joined: Nov 2001
Posts: 6,719
PA
As a matter of practice, we close and reissue whenever we are alerted to a potential compromise, so as to avoid the pitfall that JD mentioned.

Return to Top
#669584 - 01/22/07 06:15 PM Re: TJX Breach JacF
JD in JC Offline
Junior Member
JD in JC
Joined: Jan 2007
Posts: 35
Wisconsin
JacFSB:

Out of curiosity, do you provide a timeframe for closing and reissuing, or do you just do it immediately and then contact your customers?

Also, how do you contact them? Do you send them a letter or try to call them or both?
_________________________
- Just because something is legal doesn't make it reasonable or right -


Return to Top
#669595 - 01/22/07 06:30 PM Re: TJX Breach JD in JC
JacF Offline

Power Poster
Joined: Nov 2001
Posts: 6,719
PA
We close the cards right away, and call the customers.

Return to Top
#669623 - 01/22/07 06:47 PM Re: TJX Breach JacF
FraudHorn Offline
Member
FraudHorn
Joined: Dec 2005
Posts: 60
Maine
We are of simlar size as JD in JC and have the same procedures, re-issue and close. Our plastic provider will typically have the new cards to the customer in about 10 business days after ordering. We cut letters to the customer and time their mailing to arrive about 2 days before the new card. The letter explains the reason for the new card and asks them to call us when it arrives, at which time we close the old card. Sometimes they call immeadiately to have it closed but most of the time they jsut wait.
_________________________
The cannons don't thunder there's nothin' to plunder.

Return to Top
#669638 - 01/22/07 07:00 PM Re: TJX Breach FraudHorn
JD in JC Offline
Junior Member
JD in JC
Joined: Jan 2007
Posts: 35
Wisconsin
Thanks for the info, JacFSB and FraudHorn!
_________________________
- Just because something is legal doesn't make it reasonable or right -


Return to Top
#669676 - 01/22/07 07:20 PM Re: TJX Breach JD in JC
C_Groat Offline
Member
Joined: Mar 2006
Posts: 70
Salt Lake City, UT
Do any of the banks that are planning on a blanket reissue, do any type of analysis to show how many customers you lose atfer a mass reissue or customers that reduce their usage of your cards?
Doesn't your cost of reissuing all of these cards everytime a compromise comes up (we had 181 notifications in 2006 for over 150,000 account numbers) far outweigh what incremental fraud you may experience down the road?

Return to Top
#669789 - 01/22/07 08:31 PM Re: TJX Breach C_Groat
MikeJ Offline
Member
MikeJ
Joined: Nov 2002
Posts: 76
MA
We cancel and reissue as a matter of policy and I appreciate all the feedback here. Some banks monitor and my question for those banks is....

Let's say you get a list of 1500 cards and you decide to monitor. Three months from now, one of those account numbers is used and you take a hit. Do you only cancel that card or do you now cancel the other 1499? Do you need to take an individual hit (which could be costly over a nice long weekend) in order to cancel each card?
_________________________
Expressions posted here are not necessarily those of my employer(s).

Return to Top
#669827 - 01/22/07 09:00 PM Re: TJX Breach MikeJ
JD in JC Offline
Junior Member
JD in JC
Joined: Jan 2007
Posts: 35
Wisconsin
C Groat:

I understand your argument and agree with you on the one hand. I think an analysis of actual versus potential losses and lost business due to customer frustration would be the way to go. As you aptly point out, unless we do some sort of analysis, we will never know how many customers we lose from such a policy and whether or not the magnitude of this response gives us the most bang for our buck.

However, our experience of fraud down the road has proved to support MikeJ's comments (at least for us). And with our limited expertise/resources/whatever in this area (including monitoring) we feel, at least at the most basic level, we have a good idea of our costs from a fraud standpoint going into our plan (i.e., $ per card X # of cards to be reissued).

For my bank we are talking about a fraction of the number of accounts you are talking about. I suppose that, in the event the rate of incidents increase substantially, we will eventually have to weigh the option of monitoring/analyzing accounts versus our policy of blanket reissuance.
_________________________
- Just because something is legal doesn't make it reasonable or right -


Return to Top
#669956 - 01/22/07 10:47 PM Re: TJX Breach JD in JC
C_Groat Offline
Member
Joined: Mar 2006
Posts: 70
Salt Lake City, UT
If you have limited resources in your fraud arena to monitor and build new POS type decline strategies as issues occur, I would concur with your assessment to reissue. Unfortunately, with all of these compromises and reissues, the consumers blame the banks for the inconvenience and are quick to move down the street even though they are also affected and may choose to reissue.

Return to Top
#670087 - 01/23/07 02:45 PM Re: TJX Breach C_Groat
JacF Offline

Power Poster
Joined: Nov 2001
Posts: 6,719
PA
Originally Posted By: C_Groat
the consumers blame the banks for the inconvenience and are quick to move down the street even though they are also affected and may choose to reissue.

We always cancel and reissue in these circumstances, and my experience has been exactly the opposite of this. While our customers do not like the inconvenience, they are very appreciative of our proactive approach, and our desire to prevent losses, instead of responding to losses after they happen.

Return to Top
#670098 - 01/23/07 02:51 PM Re: TJX Breach JacF
MadisonCali Offline
Power Poster
Joined: Jun 2006
Posts: 2,515
Originally Posted By: JacFSB
Originally Posted By: C_Groat
the consumers blame the banks for the inconvenience and are quick to move down the street even though they are also affected and may choose to reissue.

We always cancel and reissue in these circumstances, and my experience has been exactly the opposite of this. While our customers do not like the inconvenience, they are very appreciative of our proactive approach, and our desire to prevent losses, instead of responding to losses after they happen.


This was my thought as well.
I was in the sales/service side of banking for quite a few years at a very large institution, and can't think of a single situation where we lost a customer because of being proactive about potential fraud. The essential key to this, IMO, is communication. Let them know (in as personal of a way as possible) what you're doing and why, and they will be thankful.
_________________________
The beatings will continue until morale improves...

Return to Top
#670361 - 01/23/07 05:57 PM Re: TJX Breach MadisonCali
John Burnett Offline
10K Club
John Burnett
Joined: Oct 2000
Posts: 40,086
Cape Cod
The bank that has my accounts is canceling and re-issuing based on the list of compromised cards provided by TJX. We are in the heartland of TJX country up here in Massachusetts, and my bank undoubtedly has a lot of accounts to take care of here. It will take them some time, but they've also made it clear that they will do early reissues for any customer who asks for expedited treatment.
_________________________
John S. Burnett
BankersOnline.com
Fighting for Compliance since 1976
Bankers' Threads User #8

Return to Top
#670800 - 01/24/07 01:21 AM Re: TJX Breach MikeJ
mlh241 Offline
New Poster
Joined: Jul 2006
Posts: 23
Washington
We currently reissue and send letters to the customers (along with the new card) explaining the situation and give them 5-10 days to activate their new card.

Through experience, I have found that giving a deadline date to activate the new card saves a lot of repeated work.

I have not found that we have lost any customers as a result of this. I have found that the customers are appreciative that we are "looking out for them".

We are a small bank ($150M), so we do not have as large amounts as other banks.
_________________________
--I feel a sick day coming on---

Return to Top
#670851 - 01/24/07 01:22 PM Re: TJX Breach mlh241
P*Q Offline

Power Poster
P*Q
Joined: May 2001
Posts: 8,458
Somewhere
John, in speaking with most other Banks in Mass via a statewide compliance group, the impact on us in Mass is HUGE! The average number of cards affected by this has been in the 3,000-4,000 range! Most of hotcarding and reissuing but the staff and monetary impact is big! My card was even one of them. I NEVER shop at Marshalls and the one time I do for one Xmas present, bam this happens! UGH!!!

Return to Top
#670868 - 01/24/07 01:43 PM Re: TJX Breach P*Q
John Burnett Offline
10K Club
John Burnett
Joined: Oct 2000
Posts: 40,086
Cape Cod
I thought you said my present came from Nordstrom's, PQ! Now I'm bummed!
_________________________
John S. Burnett
BankersOnline.com
Fighting for Compliance since 1976
Bankers' Threads User #8

Return to Top
#670895 - 01/24/07 02:29 PM Re: TJX Breach John Burnett
P*Q Offline

Power Poster
P*Q
Joined: May 2001
Posts: 8,458
Somewhere
LOL John!

Return to Top
#670963 - 01/24/07 03:21 PM Re: TJX Breach MikeJ
JavaBanker Offline
Member
JavaBanker
Joined: Jan 2003
Posts: 54
We are a small bank and we feel the re-issue for those customers on the list (and close and reopen DDA account if requested) is by far less risky than to wait and see if there is any fraudulent activity that may occur. Too much liability exposure for us.

Return to Top
#670988 - 01/24/07 03:33 PM Re: TJX Breach JavaBanker
XODUS Offline
Power Poster
XODUS
Joined: May 2005
Posts: 4,384
We had 4000 cards compromised in the first group, we have had one $1100 loss so far. As Cvv was compromised any transactions were going to be a loss. We reissue in these cases. Our procedure is to send a letter first notifying the customer and telling them when there old card will quit working. (usually 3 weeks) then we reissue cards. We don't actually lose many customers to this and we find that we actually help clean up our card base. Further under the new Visa rules we are being compensated a small amount of our costs to reissue the cards so it is less painful than previously.

Return to Top
#671208 - 01/24/07 05:59 PM Re: TJX Breach XODUS
cologirl@heart Offline
Gold Star
cologirl@heart
Joined: Mar 2005
Posts: 355
WY - still a CO girl, though
Where can I find more information about who was affected? I am with someone else above where this is the first year I have been there... of course. I am wondering how you all have heard. Is TJMaxx letting individual banks know? or just credit card processors?
_________________________
...it's all opinion, until proven otherwise...

Return to Top
#671211 - 01/24/07 05:59 PM Re: TJX Breach XODUS
cologirl@heart Offline
Gold Star
cologirl@heart
Joined: Mar 2005
Posts: 355
WY - still a CO girl, though
Where can I find more information about who was affected? I am with someone else above where this is the first year I have been there... of course. I am wondering how you all have heard. Is TJMaxx letting individual banks know? or just credit card processors?
_________________________
...it's all opinion, until proven otherwise...

Return to Top
#671233 - 01/24/07 06:13 PM Re: TJX Breach cologirl@heart
Jasmine Offline
100 Club
Jasmine
Joined: Jul 2002
Posts: 149
Massachusetts
I am also located in Massachusetts. We restrict any transaction that does not require a PIN on the affected cards. This protects against internet transactions. We order new cards and we send letters and make phone calls.

Return to Top
#671450 - 01/24/07 08:29 PM Re: TJX Breach Jasmine
etm614 Offline
Platinum Poster
etm614
Joined: Jan 2003
Posts: 695
Massachusetts
Senior management here did not want to re-issue, but to rely on monitoring with Falcon; however, when it turned out that the cards of some of our directors were affected, that decision was changed in favor of re-issue.

Return to Top
Page 1 of 2 1 2

Moderator:  Andy_Z