When referring to the recent breach suffered by US retailer Target and the payment cards compromised in the incident, many people only think about the data. However, the process of reissuing the cards depends a great deal on the company that’s responsible for producing the physical cards.
Brian Krebs has learned that some financial institutions are forced to print their own cards because the regular service providers are too busy due to the large number of orders.
Representatives of a small federal credit union have told Krebs that they’ve had to print around 2,000 cards themselves after Fiserv told them that they would have to wait until existing orders from other banks were completed.
Fiserv is a financial services firm that prints cards and operates the online portals for a large number of small and mid-sized financial institutions from all over the US.
The credit union has been told that they will have to wait until 2 million other cards are rolled out. The organization in question has the capability to print out the cards, which is exactly what they’ve done.
Their IT department wrote scripts to export customer data and two people were put in charge of printing the cards one by one.
“A large breach injects additional demand into a system that is already operating at near-peak capacity at year-end,” explained Murray Walton, chief risk officer at Fiserv.
“As a result, producers face the challenge of juggling existing contractual commitments with this incremental demand, and turn to mandatory overtime and staff augmentation to get the most out of their equipment and infrastructure,” he added.
“We believe we are managing this situation as well as possible, and are beginning to see our cycle times (order to delivery) diminish compared to a few weeks ago. Meanwhile, we note that fraud prevention is a multi-faceted challenge, and card reissue is only one arrow in the quiver. Alert consumers and behind-the-scenes fraud management programs are also essential.”
The fact that there are problems with issuing new cards explains why there are still so many valid records being sold on the underground market.
When the stolen payment card data first emerged on cybercrime forums, the information had a validity rate of 100%. Now, as new cards are being issued, the rate has dropped to 60%, but that still means that there’s a lot of information that can be put to good use by fraudsters.