The summit addressed both changes that PSCU has begun to implement at its level and different tactics credit unions could and must adapt in their own operations to reduce their own risk--and the higher premiums for card fraud insurance that might have been assessed by CUNA Mutual Group.

PSCU's changes were outlined by Kent Potterton, PSCU's director of credit services who stood in for PSCU CEO David Serlo who was called away on a family matter. Chief among these include offering to take on more of the day-to-day burden of helping credit unions manage their card programs and hiring a leading industry security executive from Visa USA to chart the organization's security course.

The procedures, which PSCU will offer to take on for credit unions, include the 24/7 monitoring of fraud alerts. Falcon, a Fair Isaac service, or Visa Advanced Authorization, a Visa service, each provide continuous fraud monitoring which identifies potentially fraudulent transactions and transmits them to analysts at the credit union or its processor.

CUNA Mutual has required credit unions have neural networks in place as a condition of their retaining card coverage, and PSCU has secured agreement from the insurer to allow it to put a software program in place instead of human analysts in early morning hours. But Potterton announced that PSCU has decided to put human analysts into place 24/7 and to offer their services to their credit unions. The CUSO will also move more of the analysis of CU fraud data in-house and is working with Visa to get copies of potentially compromised card accounts sent both to its own analysts as well as the CU.

"These are all numbers we have anyway so we have suggested to Visa that they should also alert us to potential fraud compromises," Potterton said, adding that PSCU hoped to have the paperwork in place to allow information sharing as early as the fourth quarter of 2006.

PSCU will also take steps to bring more of the fraud recovery process in-house as well, taking that time-consuming chore away from member CUs. PSCU has not yet decided whether or how it may charge member CUs for the additional service.

The biggest personnel change has been to hire Steve Rowe, a former security executive with Visa USA who has been recognized as an industry leader in the payment security field, Potterton explained. Rowe has testified before Congress on a wide variety of card security issues and has been acknowledged as an industry leader who will, to some extent, endeavor to speak for the industry about different card security challenges.

If he takes on that role, Rowe will have no shortage of things to say. The credit union industry feels as frustrated as it does with the card security problem, in part because while the rest of the industry has seen fraud losses as low as six basis points per every $100 spent on the cards, many credit unions remain very far above that.

Lovingood walked attendees through things that she said they probably believed they already knew, but may not know as much as they need to, to adequately protect their cards.

"Every one of us likes to look at our card program or our loan program or our deposit program and say 'we are good,'" Lovingood said. "But we have to make sure we learn the difference between good and lucky and I have been in enough credit unions that believed they were good and who only found out later that they had really just been lucky."

Lovingood took pains to cloak her remarks in optimism, pointing out that credit unions had long faced different fraud challenges in different parts of their business and had overcome them. "How many people in this room can remember how big a headache deposit fraud used to be," she asked to some nodding heads. "Well, we put the procedures into place to bring that risk under control and we will with card fraud too."

Lovingood then went step by step through CUNA Mutual's best practices for card security, covering everything from how credit unions count card fraud losses to making sure that staffers are trained about proper card procedures. In one credit union she visited, an employee had been told she would receive the card fraud alert faxes from Falcon, but was never really taught what to do when she received one or how to analyze the situation to prevent fraud loss. "This was obviously a training problem," Lovingood said, "but there was money in fraud losses walking out the door because of it."

Another specific problem discussed involved credit unions who were not sure their debit processors were verifying CVV/CVC codes and, if they were, whether the CU had instructed the processor to decline card transactions where the CVV/CVC codes did not match. CVV/CVC codes are security measures designed to ensure the card account being debited was not being used fraudulently.

"A number of credit unions we speak to have been surprised that merely ensuring their processor verifies CVV codes doesn't mean that they decline the transactions which fail CVV tests," explained Lovingood. "You have to make sure that transactions where CVV fails are declined." [email protected]