SAN FRANCISCO — For many in the credit union industry, particularly if they worked with electronic payments generally and cards in particular, 2006 may go down in memory as the year card security really arrived as an issue that overhung the whole industry. In many ways the year began much as 2005 ended. Large data security breaches, such as the one at Cardsystems or major retailers continued to occur. Fraud alert messages continued to flow from Visa and MasterCard. Credit unions remained faced with the inconvenient and expensive decision of whether to close accounts and reissue accounts, which may have been compromised in the breaches, or not.

But 2006 also brought ripples in the issue as well. Awakening to the problem with the public and their issuers, the major card brands announced initiatives designed to bring more of the major retailers into compliance with the security protocols the retailers had flaunted. Also, CUNA Mutual Group, the insurer for the majority of CU card programs, announced that its losses in cards had grown unacceptable and that CUs had to make security their highest card priority or face the prospect of possibly not having any card insurance going forward.

Many credit unions welcomed the focus on security in their own shops. Now, at least, they had a way they could fight back against a problem that seemed removed from their daily operations and impossible to control–until they finally got hit with the costs of a breach. Others questioned whether the increased trouble and expense of providing card security would drive them out of the card issuing business, though card brokers reported that few if any CUs reported selling their card portfolios because of security concerns. But everyone had to start auditing how they conducted their card business, and for many the audits were an eye-opening experience. Auditors surprised many by finding the first widespread weakness in many CUs' debit card programs, and particularly in point of sale transactions which were considered by many to be among the safest since cardholders validate many of these with a personal identification number. Auditors found weaknesses first in the fact that many of the card security breaches that involved hackers had been able to get far more information from the pilfered accounts than had been available previously. The second weakness was that many CUs had never bothered to turn the additional Card Verification Value 2 check on when validating their debit card transactions. So called CVV2 transactions ask a cardholder to input a three or four digit number that is on the back of their card (Visa and MasterCard) or on the front (American Express) to validate that they actually have the card and that the number is correct.