Skip to content
BOL Conferences
Thread Options
#1910486 - 04/01/14 05:41 PM Merchant Compromise-Not taking responsibility
Matt_B Offline
Diamond Poster
Matt_B
Joined: Sep 2011
Posts: 1,648
A CU, Where Regs Don't Apply
Wondering what others have experienced in a situation like this.

Our area has seen a spike in plastic fraud and through some information passed on by local PD and other financials, the source has been determined to be a local franchise (fast food) that was locally compromised by staff (at least one, possibly several) with card skimmers (the assumption of course). PD has seen some traffic indicating the sale of those cards to be fairly widespread. The window goes back as far as November 2013, and we ended up deciding to reissue all cards used at the merchant from that time frame on, because the specifically impacted cards can't be isolated. This ended up impacting us more than the Target breach did, and the fraud that we experienced prior to the issue was more costly as well. The merchant isn't taking any responsibilty, won't confirm the employee(s) responsible have been taken care of, or that anything ever happened. Nobody's willing to touch them, due to the franchise backing and potential fallout from the big legal team they would surely drop on us if we did.

How would other, larger places handle a situation like this? I'm at a loss as to how we could be expected to handle losses in the tens of thousands (excluding the man-hours going into all the manual processes we have to conduct) when the responsible party remains a complete mystery to the outside world. It seems we should be able to band together and sue, but I don't know how that would work.

Partially looking for other experiences, partially venting frustration. smile
_________________________
Someone's about to get horned!

Return to Top
eBanking / Technology
#1910532 - 04/01/14 06:54 PM Re: Merchant Compromise-Not taking responsibility Matt_B
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 83,219
Galveston, TX
Nobody's willing to touch them, due to the franchise backing and potential fallout from the big legal team they would surely drop on us if we did.

What makes you so sure this would happen?
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#1910571 - 04/01/14 07:41 PM Re: Merchant Compromise-Not taking responsibility Matt_B
Matt_B Offline
Diamond Poster
Matt_B
Joined: Sep 2011
Posts: 1,648
A CU, Where Regs Don't Apply
Not sure, but it appears nobody is willing to be the one to find out. Most of our market area is small community banks and credit unions, not real ambitious about going to bat on something like this. I don't think any of us are in a position where we can prove they are the source, unless the PD has more information than they are sharing (I'd hope they do and are pursuing things in some way).
_________________________
Someone's about to get horned!

Return to Top
#1910614 - 04/01/14 08:44 PM Re: Merchant Compromise-Not taking responsibility Matt_B
ItNeverEnds CRCM Offline
Platinum Poster
Joined: Oct 2006
Posts: 995
Looking for my sanity
Did you report this to Visa (or Mastercard if you are Mastercard) Fraud Control? When we had this happen, we were in year 2 of being a de novo and the losses were huge. I was able to get someone from Visa fraud on it and they took control. We were able to recover some money under the visa account data compromise recovery program. Not nearly enough, but better than nothing. You do have to make sure you send a fraud advice for each fraudulent transaction, but it does help you get some recovery if the situation qualifies.
_________________________
"The reason I talk to myself is because I'm the only one whose answers I accept."
- George Carlin

Return to Top
#1910640 - 04/01/14 09:58 PM Re: Merchant Compromise-Not taking responsibility Matt_B
Matt_B Offline
Diamond Poster
Matt_B
Joined: Sep 2011
Posts: 1,648
A CU, Where Regs Don't Apply
We are Visa, but go through a vendor. I'm pushing for information and to see what we can do, since sitting here doing nothing is clearly not fixing any problem. We're concerned that if the issue hasn't been resolved on the vendor's end, that they will just continue skimming cards and our reissue will be for naught. Hopefully we can find something out. Of course our fraud person recently gave her notice and is working on tying up things and training someone to fill in, so getting efforts focused on things is a bit trying. Thanks for the ideas.
_________________________
Someone's about to get horned!

Return to Top
#1910643 - 04/01/14 10:00 PM Re: Merchant Compromise-Not taking responsibility Matt_B
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 83,219
Galveston, TX
So where is law enforcement in all of this??? And I am not talking about the local Barney Fife. Have you talked to the State's AG office about this?
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#1910659 - 04/01/14 10:30 PM Re: Merchant Compromise-Not taking responsibility Matt_B
ItNeverEnds CRCM Offline
Platinum Poster
Joined: Oct 2006
Posts: 995
Looking for my sanity
We weren't a direct member of Visa either. I just started calling Visa numbers until I found the right department. You don't have to be a Visa direct member to call something like this in. Don't rely on your vendor. I'm not sure of the exact process now, but they had common point of purchase document that you had to complete with the card numbers and submit. But when I finally got a hold of the right person, my problem was solved. Quickly.
_________________________
"The reason I talk to myself is because I'm the only one whose answers I accept."
- George Carlin

Return to Top
#1910668 - 04/02/14 12:57 AM Re: Merchant Compromise-Not taking responsibility Matt_B
BetsyS Offline
Gold Star
Joined: Jun 2009
Posts: 471
Small local merchant breaches are the worst!

The CPP (Common Point of Purchase) form ItNeverEnds refers to can be found in Visa Online, but you have to have access rights. Everyone has an assigned Visa Rep, no matter your size or whether you are a direct member (we're not). Your rep should be able to assist you with accessing and completing the form.
_________________________
Let's start at the very beginning; A very good place to start...

Return to Top
#1910766 - 04/02/14 03:02 PM Re: Merchant Compromise-Not taking responsibility Matt_B
Matt_B Offline
Diamond Poster
Matt_B
Joined: Sep 2011
Posts: 1,648
A CU, Where Regs Don't Apply
I got in and downloaded the forms/instructions for it and passed them on to our fraud person's supervisor. The actual amount of fraud loss is only in the four digit range, so they're not real sure it's worth it, but I'm trying to prompt them that if actions aren't taken, we'll never know the problem was solved and this is our chance to try to recover at least some of the loss.

Randy, the state hasn't been involved yet, that I'm aware of, but that recommendation was strongly made. I told them if we want to see anything happen, sitting and waiting isn't going to get the job done. Who knows if anyone else is bothering to report it, and it sure doesn't hurt to have overlapping reports!

Thanks again for all the help! I'm not over fraud, obviously, but I tend to get involved a lot.
_________________________
Someone's about to get horned!

Return to Top
#1910821 - 04/02/14 04:26 PM Re: Merchant Compromise-Not taking responsibility Matt_B
jms73 Offline
Junior Member
Joined: May 2011
Posts: 47
Secret Service should be alerted when you get no where with local PD.

Return to Top
#1921571 - 05/08/14 09:32 PM Re: Merchant Compromise-Not taking responsibility Matt_B
BearfootContessa Offline
New Poster
BearfootContessa
Joined: Nov 2012
Posts: 17
Secret Service is typically my first point of contact for these types of events, especially since they're often partnered with local law enforcement in task forces. If you're concerned about civil pushback from the merchant, you can always go the SAR/safe harbor route.

Return to Top
#1946494 - 07/28/14 05:17 PM Re: Merchant Compromise-Not taking responsibility Matt_B
Matt_B Offline
Diamond Poster
Matt_B
Joined: Sep 2011
Posts: 1,648
A CU, Where Regs Don't Apply
And late last week, looks like we've had this issue come back up, now involving a second location of the same fast food chain. So far this is based on trend data from us and another financial, but it's not necessarily "proven" by law enforcement or anyone else.

We want to block this particular merchant, but management is hesitant to do so because of the conversations with our customers when they call us because they couldn't get their lunch because their card won't work. They don't think we can say that we've blocked this merchant due to continuing fraud situations, unless we can prove it's the case.

If you were fairly positive, would you block the merchant? How would you explain the reason why your customer's card won't work there? I would love to be honest...but I'm not in charge of fraud, they're just asking me what they can and can't say.
_________________________
Someone's about to get horned!

Return to Top
#1946502 - 07/28/14 05:41 PM Re: Merchant Compromise-Not taking responsibility Matt_B
CULady Offline
Gold Star
Joined: Sep 2007
Posts: 496
WA
I know of a bank that did block a particular merchant that many of us in the state were experiencing similar issues with. From what I understand, as a general rule, the customers were okay because the bank was looking out for them. And as time went on the cashier's at said merchant were aware and would advise the customers as their cards were rejected.
Now, for us... We are a small CU and have very ... high maintenance members, let's say. I know that our poor teller line would be inundated with upset people if we tried to do this as it is a popular place. Losses for us probably in the four digit range as well, but (*fingers crossed*) it seems to be under control now. For us it appeared to be a malware issue on the registers as it was happening at locations across the state.
Not sure if this helps any, but figured I would respond anyway! wink

-K

Return to Top
#1946518 - 07/28/14 06:16 PM Re: Merchant Compromise-Not taking responsibility Matt_B
Matt_B Offline
Diamond Poster
Matt_B
Joined: Sep 2011
Posts: 1,648
A CU, Where Regs Don't Apply
It sure doesn't hurt. Thanks!
_________________________
Someone's about to get horned!

Return to Top
#1946613 - 07/28/14 08:22 PM Re: Merchant Compromise-Not taking responsibility Matt_B
BearfootContessa Offline
New Poster
BearfootContessa
Joined: Nov 2012
Posts: 17
I would discuss with your bank counsel.

We had this issue come up last year. We had an ongoing issue with a local franchise of a popular fast pizza chain. Multiple institutions identified several of these stores as a POC and we called a meeting with representatives from the institutions, law enforcement (local and USSS), and representatives from the Oklahoma Attorney General's office. The takeaway, under Oklahoma law, is that if we had reasonable belief that a particular merchant was a source of compromise, that we had every right to block that particular merchant and inform customers that we had a suspicion of a data breach of the merchant's systems.

Your situation may be completely different (an employee pocket skimmer rather than a data breach) which could open a different can of worms.

At the end of the day, you can always block and indicate to your customers that it's a temporary security measure.

With that said, our institution blocked this particular merchant and received little to no backlash from our customer base - in fact, the response was overwhelmingly positive and we communicated openly with our customers regarding the reasons behind the block.

Return to Top
#1946656 - 07/28/14 11:36 PM Re: Merchant Compromise-Not taking responsibility Matt_B
BrianC Offline
Power Poster
BrianC
Joined: Nov 2004
Posts: 6,685
Illinois
Unfortunately, blocking the merchant doesn't stop your customers from attempting transactions there. Whether the transaction is approved or declined, the card data travels along the same path. If the restaurant is experiencing a breach, denying their authorization requests will not stop the cardholder's data from being compromised.
_________________________
Sola Gratia, Sola Fides, Sola Scriptura, Solus Christus, Soli Deo Gloria!
www.tcaregs.com

Return to Top
#1946776 - 07/29/14 02:45 PM Re: Merchant Compromise-Not taking responsibility Matt_B
Matt_B Offline
Diamond Poster
Matt_B
Joined: Sep 2011
Posts: 1,648
A CU, Where Regs Don't Apply
Thanks for that point Brian, kind of a "duh" moment!

We're reaching out to the local SS office, and suggesting the other community bank that's asked us about the trend to do the same.
_________________________
Someone's about to get horned!

Return to Top
#1947542 - 07/30/14 08:14 PM Re: Merchant Compromise-Not taking responsibility BrianC
BearfootContessa Offline
New Poster
BearfootContessa
Joined: Nov 2012
Posts: 17
Originally Posted By: BrianC
Unfortunately, blocking the merchant doesn't stop your customers from attempting transactions there. Whether the transaction is approved or declined, the card data travels along the same path. If the restaurant is experiencing a breach, denying their authorization requests will not stop the cardholder's data from being compromised.


This is very true. One of the steps we took was a review of customers that attempted transactions at the merchant we blocked. We reached out to them, shut down their card and issued a new one. Eventually the attempts stopped and the merchant finally reached out to me to request we remove the blocks of their systems. They were able to provide me with documentation showing when the malware affecting their payment systems was removed and also when their security was enhanced. As a result, the blocks have now been removed and everyone is happy.

I definitely don't recommend it as a solution for all problems with all merchants - that's where a risk analysis needs to get involved. For our situation, it was appropriate.

Return to Top
#1947550 - 07/30/14 08:18 PM Re: Merchant Compromise-Not taking responsibility BrianC
Kathleen O. Blanchard Offline

10K Club
Kathleen O. Blanchard
Joined: Dec 2000
Posts: 21,293
Originally Posted By: BrianC
Unfortunately, blocking the merchant doesn't stop your customers from attempting transactions there. Whether the transaction is approved or declined, the card data travels along the same path. If the restaurant is experiencing a breach, denying their authorization requests will not stop the cardholder's data from being compromised.


This is an amazingly good point, Brian. The customer is compromised even when the bank blocks the transaction. You can't control where they try to use the card.
_________________________
Kathleen O. Blanchard, CRCM "Kaybee"
HMDA/CRA Training/Consulting/Mapping
The HMDA Academy
www.kaybeescomplianceinsights.com

Return to Top

Moderator:  Andy_Z