Card Data Breach Loss Prevention Checklist

By Ann Davidson, VP of Risk Consulting at Allied Solutions

Many of the large-scale card data breaches in 2015 involved the compromise of magnetic stripe data on both credit and debit cards. The data compromised in most of these card breaches involved either track 1 or track 2 magnetic stripe fraud (POS 90), as determined by the merchant during the transaction authorization. Because the track information can be duplicated, there will likely be a high risk for future fraud exposure if you opt not to block and reissue these cards.

For an in-depth look into payment card fraud risks that many credit unions are being hit hard with right now, watch Allied’s webinar “Card Fraud on the Rise: How Financial Institutions Can Help Prevent It.”

Card Data Breach Loss Prevention Checklist:

  • Evaluate the compromised card number to help determine if the risk is high
    • A high risk involves the full unaltered magnetic stripe data from track 1 and/or track 2 – track 1 carries the cardholder name; track 2 does not
  • Confirm you’re utilizing “name matching” if track 1 data was part of the breach
  • Review card associations’ alerts and act immediately on at risk card data outlined in alert
  • Analyze at risk open card accounts to determine which cards are/are not still active
  • Review other card accounts to find out which cards are non-active and have already been closed due to fraud
  • Identify the fraud pattern to uncover the common point of compromise (CPP)
    • This is where the breach took place, not where the fraud occurred
    • Once discovered, report the CPP immediately
  • Block and reissue impacted, open card numbers when magnetic stripe has been compromised
  • Accelerate the reissuance of active cards prior to their expiration date
  • Consider reissuing the card 30 to 180 days before the date of expiration
  • Ask the card association(s) to take recovery action related to any expenses
  • Report the fraud to the Visa Fraud Reporting System and/or MasterCard’s Safe System, as this is a requirement under the card association(s) rules

Watch Allied’s webinar “Card Fraud on the Rise: How Financial Institutions Can Help Prevent It” to learn more about payment card fraud risks.

Allied Solutions is the NAFCU Services Preferred Partner for Insurance- Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown Protection (MBP). More educational resources and partner contact information are available at


Combat Social Engineering Fraud

Produced by Jay Slagel, VP of Risk Management at Allied Solutions

Due to a general lack of awareness, fraudsters are often successful in obtaining your account holders’ private information using various social engineering methods.  Because of this, it is essential that you raise awareness among your employees about the causes of social engineering fraud and the prevention measures your financial institution has in place to combat these attacks.

Social engineering fraud occurs in a variety of ways:

  • Social Engineering FraudPhishing attacks via email or phone, where the fraudster claims to be a person of authority to obtain confidential and personal information.
  • Impersonation of a fellow employee, friend, or vendor to gather personal and confidential account information.
  • Obtaining personal and confidential information from digital storage devices (such as thumb drives, phones, or CDs) or paper documents that were not discarded properly.
  • Offering prizes or gifts via phony emails or calls in exchange for private information and/or money.
  • Baiting is when a person leaves an infected storage device, like a thumb drive or CD, at a location where someone would likely find it to entice the individual to load the infected device onto their computer.
  • Phone phishing where the fraudster uses an interactive voice response system (IVR) to duplicate a message from the person’s financial institution, directing the account holder to input their confidential and personal information.

Credit unions can defend against social engineering fraud by changing their corporate culture through education and training. Employees should know how to recognize methods of social engineering and how to combat those attacks.

Actions your financial institution should take to combat social engineering include:

  1. Determine which employees have access to sensitive information, and may be targeted.
  2. Educate employees about ongoing threats.
  3. Verify that deposited checks clear before permitting a withdrawal or transfer.
  4. Establish a multi-level authentication process for financial transactions or account change requests that are not performed in person.
  5. Never open attachments or links in emails received from untrusted sources and do not forward these emails.
  6. Tell employees to be wary of any prizes or offers made over the phone or through email, especially those that offer to update, correct, or solve a computer issue or problem.
  7. Protect private information on documents or storage devices no longer needed before shredding or destroying.
  8. Conduct tests to determine where system vulnerabilities exist and promptly address those areas of weakness.
  9. Monitor social media outlets to reduce the chance of sensitive information being posted.

It is likely that one or more of your employees will be the target of a social engineering scheme, but taking proactive steps early and often will help your financial institution to remain protected from these fraud attempts.

Allied Solutions Logo

Allied Solutions is the NAFCU Services Preferred Partner for Insurance – Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown (MBP); and rateGenius.  More educational resources and contact information are available at