2007 Card Issuers' Identity Safety Scorecard

“Card issuers have a golden opportunity to increase loyalty and retention, and strengthen relationships and their brand reputation, by giving consumers simple identity fraud prevention tools they like to use,” said James Van Dyke, President of Javelin Strategy & Research. “Identity fraud is a major pain point for consumers and can damage the relationship between the consumer and the card issuer.”

Security elements of a dream credit card for protection against identity fraud

Javelin’s research has determined the optimal combination of available, effective tools and policies that best protect consumers. Below are the ideal security elements of a dream credit card and research findings in support of them:

For Fraud Prevention

• Provides customers the ability to restrict or allow certain types of transactions (e.g. cash advances, foreign transactions, card-not-present transactions).
• Uses identifiers other than social security numbers for identity verification.
• Truncates all customer-sensitive data while interacting with customers. Encourages customers to protect their home computers with anti-virus software by partnering with security software vendors (e.g. Bank of America’s partnership with Symantec).
• Offers photo of account holder on card.

For Fraud Detection

• Provides mobile device or email alerts of high-risk changes to accounts (e.g. replacement card sent out, PIN or password reset, change of physical address or email address), initiation of higher-risk transactions (e.g. card not present, foreign transactions, activity on dormant account), and status of accounts (payment past due). Over two-thirds of account takeover cases are due to a fraudulent change of address. Alerts for changes to personal information are one of the top desired alerts by consumers.
• Notifies customers of new account set-ups. New accounts fraud is traditionally the most difficult for consumers to detect. Credit cards continue to be the most abused category of fraudulent new accounts.
• Facilitates consumer ordering of credit reports and credit monitoring services. New fraudulent accounts can be virtually invisible to a consumer without a credit monitoring service.

For Fraud Resolution

• Institutes a comprehensive, up-to-date data breach resolution plan.
• Provides an identity fraud assistance team to help customers affected by fraud.
• Offers zero liability for fraud.
• Offers next-day card replacement in addition to 24/7 account suspension capabilities.
• Offers free identity fraud insurance.

Key findings from the report

• Many issuers are not providing consumers with the ability to specify limits or prohibitions on particular types of account activity. Only 24% of card issuers provide user-defined limits and/or prohibitions (UDLAPs) on cash advances.
• More than half (56%) of top card issuers still require full nine-digit Social Security numbers when interacting with customers, whether by phone, Internet or mail. This is a risky practice that unnecessarily increases the customer’s exposure to identity fraud.
• The number of issuers offering transaction alerts for transactions such as payment past due, new account set up, foreign transactions and replacement cards is a missed opportunity for issuers.
• The lack of alerts for changes to personal information makes issuers especially vulnerable to new accounts fraud and account takeover. Only 16% of card issuers provide an alert for physical address change.
• 84% of issuers report having a data breach resolution plan in place, given the ever-increasing awareness of incidents such as the TJX breach. Considering the tremendous risk to brand posed by a security breach, it is imperative that any issuer appropriately handle customer notification and assessment in the event that a breach occurs.

Where the industry can improve -- stronger fraud prevention and detection

To date, issuers have provided consumer security guidelines, multi-factor log-in authentication and online purchase authentication. However, this does not go far enough. Issuers have an opportunity to do better in prevention and detection.

Issuers can strengthen their brands and increase customer loyalty by placing some of the responsibility into the hands of their customers, specifically, by implementing UDLAPs on specified activities and dynamic, two-way alerts for suspicious transactions. Customers must also be given greater authority over their user profiles and have the ability to receive alerts for any high-risk changes to their records or any activity that they have defined as abnormal.

Javelin’s research found that customers know their own spending habits best and can set the appropriate levels of security when armed with the ability to impose restrictions on their own accounts. “Consumers play an essential role in security, detecting nearly half of all identity fraud cases,” said Rachel Kim, Javelin Risk & Fraud Analyst. “Consumers want to be involved in protecting their accounts, with 60% viewing this as a duty they share with their financial institution.”