June 5, 2012

Fraud Alerts vs Breach Alerts

Do you know the difference between fraud alerts and breach alerts? You should – and you should make sure your staff does, too. These alerts are two very different things and require completely different responses. Mixing the two up can lead to a world of problems.
Recently, one of our merchant customers was contacted by a concerned cardholder. The cardholder told the merchant that he had received a fraud alert on his card and that he had used that card at their business. Now, many of us know (but this poor merchant had unfortunately forgotten) that a fraud alert is not necessarily a notification of card fraud. It can be triggered by a number of things that the bank considers “suspicious” (ranging from being used in a new location, to buying something you’ve never bought before, or just being used at a business that has been previously used by card data thieves to test their new fraudulent cards). A fraud alert does not necessarily mean there has been a breach – only that something unusual has happened with the card.

Unfortunately, the merchant mistook this fraud alert for a breach alert and went into panic mode. He implemented his incident response plan and began contacting the authorities and the card brands. When local police and then the U.S. Secret Service arrived, they quickly realized his business had not been breached, nor had it even accepted a fraudulent card. The card data had been stolen from another merchant – miles away and days before.

The merchant received a courtesy call from an anxious cardholder and overreacted. He invited police and Secret Service agents into his environment and allowed them to invade his privacy without cause. The potential repercussions and collateral damage of having federal agents scouring his networks and looking for a reason to blame him could have created major issues for his business. Inviting the U.S. Secret Service to look for flaws is akin to inviting a vampire over to your house for dinner – it may well end with someone sucking you dry.

Fortunately, in this case, everything turned out OK and we can all learn a valuable lesson from it: if you receive a breach alert, implement your incident response plan. If you receive a fraud alert, don’t panic. Continue to be vigilant and monitor your system to be 100% sure you aren’t the source of the loss (you almost certainly are not, but it still warrants checking). Remember, there’s no need to contact the authorities until you are certain that your data has been compromised.

Of course, your best bet is to let Shift4 help you eliminate the cardholder data from your environment so that you don’t have to worry about being breached in the first place. After all, They can’t steal what you don’t have.®