Now we have the Heartland Breach burning up the airwaves. Unless you were stuck in a cabin in the remote wilderness for the past few days, you heard about the most recent data breach of Heartland Payment Systems that resulted in approximately 100 million cards being compromised. Supposedly - bigger than TJX.
Reporters came out of the woodwork with headline stories discussing the latest Identity Theft story. Unfortunately, this is not an identity theft story. It is a story on stolen card information. This lack of understanding and mis-information does nothing to help us in the fight against identity theft.
Identity theft is when someone gains access to a person's identifying credentials and uses this to either take over an existing account or open up a new account in the victim's name. This leads to a serious burden on the victim who then has to fight for months and years to clean up their credit histories, their name and yes, their personal identity.
In the Heartland case, credit card numbers were compromised. Yes - this is serious, but from a consumer stand-point, it nowhere resembles identity theft. If someone gains access to your credit card number, what can they do with it? Virtually nothing. If you want to order merchandise online - you not only need the credit card number, but the Billing Name, Address and security code. Heartland maintains that this information was not part of the breach.
Even if it were compromised, this is not overly impactful to the consumer. Even if the card were used fraudulently, it would be the merchant or issuer that would bear the brunt of the damage. For the consumer, when they saw the fraudulent transaction - they would call their issuer and would not be liable for anything beyond $50 (which is never collected anyway). At that point, the issuer would issue a new card and numbers and the consumer would go on their merry way.
I think we need some more consumer education, so we can better focus on controls. I think a good first step would be to begin clarifying two types of breaches: an Identity Theft Breach and a Credit Card Number Breach. If I had heard that 100 million identities had been breached - I would probably have put an immediate fraud block at the bureau. The Heartland breach is meaningless to me...... other than watching the News, or should I say Wrong News.
A.E>>>
Monday, January 26, 2009
Thursday, January 15, 2009
Score Based Compliance Solutions the New Standard?
Over the past few weeks and months, I have been hearing more and more about our clients and prospects asking for score-based compliance solutions. While this may seem logical, it has not and is not the norm.
Historically speaking - the lion's share of financial services companies have deployed your traditional ID Verification solutions to meet BSA and CIP compliance requirements. What I mean is that they have deployed solutions to essentially "match" the identifying elements for a new customer application. Eg. "Did the social match?", "Did the address match?", etc.... In addition - these solutions also look for additional things like "Are they on the OFAC list". Based on these matches and data - this then allows the institution to take action per their compliance program.
While I think most would agree that these steps and measures will most likely get companies in compliance - you can quickly see how it is not fool-proof from preventing identity theft and fraud. Eg. a fraudster that establishes a completely new identity. A fraudster that first opens up a phone number at a new address in the victims name - where upon they will then be "matched at address". Or, the fraudster that fraudulently changes the address at the post-office. In these cases, the transactions will "pass", as we have verified the information.
Similarly - the majority of "non-matches" are not fraud - but good legitimate consumers. Together - we can see the dilemma - verified customera are fraud and unverified customers are good.
That is why scoring makes so much sense. Why? Because all of the information used in the decision is just that - information. It is not the truth - merely a measure of the truth. By scoring, we are able to look at all of the information and create the most optimal measure of the truth. This will lead to smarter decisions, lower amounts of fraud, and the most reasonable compliance program available.
I suspect that this drumbeat around scoring based compliance solutions will only get louder.
A.E>>>
Historically speaking - the lion's share of financial services companies have deployed your traditional ID Verification solutions to meet BSA and CIP compliance requirements. What I mean is that they have deployed solutions to essentially "match" the identifying elements for a new customer application. Eg. "Did the social match?", "Did the address match?", etc.... In addition - these solutions also look for additional things like "Are they on the OFAC list". Based on these matches and data - this then allows the institution to take action per their compliance program.
While I think most would agree that these steps and measures will most likely get companies in compliance - you can quickly see how it is not fool-proof from preventing identity theft and fraud. Eg. a fraudster that establishes a completely new identity. A fraudster that first opens up a phone number at a new address in the victims name - where upon they will then be "matched at address". Or, the fraudster that fraudulently changes the address at the post-office. In these cases, the transactions will "pass", as we have verified the information.
Similarly - the majority of "non-matches" are not fraud - but good legitimate consumers. Together - we can see the dilemma - verified customera are fraud and unverified customers are good.
That is why scoring makes so much sense. Why? Because all of the information used in the decision is just that - information. It is not the truth - merely a measure of the truth. By scoring, we are able to look at all of the information and create the most optimal measure of the truth. This will lead to smarter decisions, lower amounts of fraud, and the most reasonable compliance program available.
I suspect that this drumbeat around scoring based compliance solutions will only get louder.
A.E>>>
Subscribe to:
Posts (Atom)