Keeping Your Credit Card Data and Account Information Safe

Ruth Jenkins
Ruth Jenkins
President & CEO

Q: It seems that a growing number of breaches are happening to retailer databases which are not controllable by the individual cardholder.  Can you tell us a little bit about what goes on behind the scenes before the “Your card has been compromised” letter goes out to the cardholder?

A:    Financial institutions and card processors utilize various fraud tools in monitoring and classifying transactions for possible fraud risk.  These risks are qualified resulting in those having the greatest risk likely denied prior to their authorization.  In some cases a data breach is detected either by the merchant, financial institution, or card processor through their risk analysis tools.  Once detected, a review and determination is made if an account compromise has actually occurred that could potentially impact cardholder data.   In those cases an alert is sent to all affected issuers (financial institutions and/or merchants) notifying them of the compromised accounts.  Affected issuers respond to the alert notification by monitoring, closing, or blocking the potentially compromised cards.

Q: What should a cardholder do when they receive the “You’ve been compromised” letter?

A: A recent report by Javelin Strategy & Research noted that there were 15.4 million identity theft victims in the U.S. in 2016, with fraud losses totaling $16 billion.  That number has continued to climb and will continue to grow.  Card-not-present fraud is now higher than card-present fraud.

The likelihood that an individual will get a “You’ve been compromised” letter continues to become greater each year.  Once a letter has been received, there are some steps that should be taken to protect yourself now and in the event of a future breach: 

  1. Make sure there’s really been a breach. When you get the scary communication, make sure it’s legitimate. People get phony security notifications and that can turn into identity theft. Don’t trust email, the U.S. mail, or even a phone call.  Call your financial institution yourself to confirm a breach. 
  1. Find out exactly what information was stolen. There’s a big difference between a credit card and checking account. With a credit card account, consumers are responsible (in most states) for only $50 of unauthorized charges.  However, most financial institutions will forgive that. 
  1. Find out what your financial institution will do. Some financial institutions agree to compensate their cardholders. Others may offer a free credit monitoring service that alerts customers about activity over a certain dollar amount. The best thing consumers can do is have alerts and triggers on their credit card and bank statements.  Such alerts will tip you off to fraudulent activity before it spins into major trouble.  Some financial institutions ordinarily charge for this service (Heritage Federal Credit Union does not) so keep in mind that the free alert offer may expire; find out when so you don’t end up paying an automatic monthly fee. 
  1. Cancel your cards. If your financial institution didn’t do so automatically after the breach, do it yourself. Cancel your credit cards and debit cards.  Your credit card issuer can block your card and account number so no one else can use them, then give you a new card and account number.  Be sure to notify companies that have your card on file for automatic monthly fees, say for website hosting or a newspaper subscription, that your card was canceled. 
  1. Reset your passwords and security questions, and make them challenging. “123456” and “password” are the most common passwords: Easy for good guys to remember, easy for bad guys to steal with. Avoid choosing easily findable information, such as your birthday or street address.  Choose something more obscure, and make the password a mix of letters and numbers.  For extra security, create a different password for each account.  Just make sure to write them down and store them in a safe place, such as a home lockbox. 
  1. Monitor credit card statements and accounts often and closely. Reviewing your recent account activity is fundamental to credit card safety—and it’s easy. You can do it online or by phone. If your credit card issuer offers email or text alerts about unusual activity, sign up to receive them.  If you’ve been a victim of fraud or identity theft in the past, consider signing up with a credit-monitoring service.  Thieves love to test the viability of accounts with a small purchase, say a 99-cent iTunes download. Review every statement — each purchase, each charge — to make sure you or a household member with access to your card made that purchase.  If you see an unauthorized charge, report it to your card issuer immediately.  
  1. Pull your credit reports. Federal law requires the three main credit bureaus — TransUnion, Equifax and Experian — to give you a free credit report if your account information has been stolen. Review each report carefully for errors or fraudulent activity; if you find any, go to the reporting institution and fix them. If there’s a chance your Social Security number has been stolen, put a security freeze on your files. At minimum, issue a fraud alert. You can do this by calling one of the three major credit bureaus toll free—Experian, TransUnion or Equifax—to let them know what’s going on. Per the Federal Trade Commission, you can opt for either an initial alert that lasts 90 days or one that stays on your report for seven years and prevents solicitations from being sent to your house. The initial alert grants you one free report from any of the bureaus. The second grants two free credit reports within twelve months.  These are in addition to your three free annual reports.
  1. Beware of email asking for personal, financial, or account information. Legitimate financial institutions and credit card companies will not request this information — they already have it. If you want to communicate with an online company, find its website and use that website’s contact information. 
  1. Tighten up your own security. This won’t keep your data safe if someone hacks into some other company’s database, but it’s a smart move anyway. Update your home computer’s security. Don’t click on links sent by strangers; such links can contain invisible malware that will monitor your computers’ keystrokes and thus steal passwords. If you bank online, dedicate a browser to online banking, and use it for nothing else. In other words, you need to have data and information discipline.
  1. File an Identity Theft Report. If you want to be completely sure that your personal info will remain safe, you might want to consider filing a full identity theft report. These reports are usually in two parts, which may be time-consuming to complete. The first part of the report should be filed with your local or state authorities, such as the police. The second part of the report will be filed with a consumer reporting company, and will depend on your situation. Be sure to have detailed information available when filing your report. This should include the date that your information was most likely stolen, as well as information on any fraudulent charges or accounts that have been opened since the alleged theft. You might also have to provide documented evidence of the theft, if you can.
  2. Keep your current information up-to-date with your financial institution.  Notify your financial institution if you move; you want to make sure your statements and other information follow you to your new address and don’t end up in anyone else’s hands.  It’s a good idea to sign up for fraud alerts using your cell phone number.  Be sure to periodically check to make sure financial institutions have your correct phone number and email address on file.  This way, if anything goes wrong, you can be contacted quickly.