Here we go again. Yet another notice from our ATM/Debit card network provider notification that a couple hundred of our customers VISA-branded debit cards have been compromised. Of course, there is the standard VAGUELY-worded notice as to what compromised means (what actually happened, etc.). Once again, there is no way to analyze the risk to us or our debit card customers. This is the 5th time in the last 6-months that we've had this notification. Each time we have been trying to contact our customers (by phone, no less!) and trying to explain what it means and that we will be pulling their old card and issuing a new one. We've all just about had it....this is such a waste of time and $. It is typically about a hundred customers (we are a community bank).

1. What are other banks doing when they receive these "compromised card" notifications?
2. Do you Always hot-card the card and reissue?
3. Do you ever just "let it ride" and not re-issue the cards and plan to absorb the losses (if any)?
4. Do you try to call your customers or do you just send a form letter, hot-card the card and re-issue a new one?
5. If you send the letter, would you be willing to share it?

Thanks everybody for listening (and responding?) to this rant.................

PS. Good morning.

Ours are Mastercard branded debit cards and it is very tiresome to continually receive these. Especially this time when the compromised timeframe covered 18 months! Why wasn't it caught earlier. Our procedures include spreading the list among our CSRs to call the customers involved the same day to warn them they can no longer use their cards. Hopefully they won't be embarrased when the card rejects. Anyone who cannot be reached by phone are emailed or a letter is sent as a last resort. New cards are ordered also the same day. We consider this not only a risk issue, but also a customer service issue.

NGM, thank you for your response.

Do your CSRs find it difficult to explain the situation to customers?
Don't customers become alarmed that there is going to be additional identity theft because of the situation?

Would you be willing to share your letter or e-mail notification to the customer?

I think it's safe to say we are all sick of the process, but it is necessary. We contact our customers by phone (or by letter if we can't reach them by phone)and reissue new cards. It's a problem for those serving in the military. Almost all customers are understanding and don't want their card number associated with anything fraudulent.

We had a customer who responded to a phishing e-mail from e-bay and had a transaction attempt to post in Romania.

Compromised card notices has become just one more thing we have to do to protect ourselves and our customers.

I would be very curious as to who the servicer is. Please feel free to send me a pm. If we have been getting these notices, I am not aware of it. Thanks,

Our CSRs are like Prairie Gardner's. They are understanding and very appreciative of our calls. We don't have a standard letter or email notification.

These intrusions will continue to be a way of life until the associations (MC/Visa) and industry decide to start to heavly fine these merchants, acquirers and processors as there is no need to store full mag stripe data, CVC2 codes or customer info. My last alert contained about 17,000 account numbers. If you take a sample and review authorization data from the last 12-18 months, it is pretty easy to pinpoint the merchant that was 'intruded.' I will not give the specific name of the last large scale intrusion, but if you look at your accounts it was from factory stores all across the country for a high end clothing retailer. We do not shut every account down, but will monitor these numbers against our cases to track losses. You have to decide what is most cost effective, if you suffer losses on a couple of accounts, will it save more than what would have been spent to replace each card and use the staff to contact each customer.

Original Anon. poster here. Thanks everybody. The feedback was helpful, as always.....................

I discussed this with a Visa fraud manager at a risk conference. I asked if they recommend reissuing. He said that their preference is that banks use fraud monitoring software to watch cards rather than closing and reissuing and inconveniencing customers by replacing their card. One customer could be affected multiple times.

At the moment we are reissuing but are assessing the cost of reissuing against the cost of monitoring and seeing exactly what that would entail, how it would work, etc. (sort of like when credit card banks call you and say I see you bought diamonds and software last night. Was that really you?)

We haven't made a decision yet.