In response to a data breach, credit card issuers choose between a) automatically reissuing the potentially exposed cards and b) delaying reissue until after an attempted fraud. Each option brings both costs and benefits spread across various contributors. In this study Graves et al. develop a model for comparing the relative merits of the two options, taking into account the total societal cost – that is, the combined impact on the time and finances of cardholders, card issuers, and merchants.
Data are compiled from several sources, including surveys and publicly available information about the extent of data breaches and credit card fraud in the United States. Since none of the information sources provides a comprehensive and precise value for any of these variables, the model is based on several estimates - extrapolations of the total number of credit card records exposed in data breaches, the probability that a card exposed in a breach will be used for fraud, and the cost of fraud. As a result, each of the input values is, in fact, a set of parameters – or a range of possible values – to reflect the potential variation. For example, anywhere between 2.5 to 40 million credit card numbers are exposed per year, of which 5 to 15% of numbers were obtained in data breaches.
The main model focuses on direct costs – the time and money invested in re-issuing cards versus remediating fraudulent use. If only direct effects are considered, reissuing all affected cards is more expensive than addressing fraud. This model demonstrates three potential indirect costs. The first occurs if card issuers decline to reissue cards automatically, breached data has a higher value to thieves, creating an incentive, because the data remains valid and can be used for fraud. Secondly, the time window for fraud is extended. Delayed fraudulent activity will be harder detect and more difficult to attribute to a particular data compromise. The third indirect effect concerns cardholder expectations; cardholders may perceive some increased risk of credit card use and thus choose other payment options. The reduced revenue for lenders would be an added cost of not reissuing cards. When the model includes these indirect effects the cost of waiting for an attempted fraud is greater than the cost of reissuing cards.
This approach is constrained by several issues including minimal, incomplete, inconsistent information. In extrapolating based on the known extent of fraud due to data breach, the authors highlight several ways the data for such studies might be improved, including more clear coverage of how credit card information is compromised. With their own more precise information about the extent of fraud from data breaches, credit card issuers might re-evaluate the parameters used in the model to determine whether the findings about relative costs will hold true for their situation.
Even the best available data leaves a wide range of uncertainty so the authors stop short of an assertive conclusion about which is more costly. A central implication of the findings is the impetus to look for more comparable data about the extent and mechanisms of data breaches. Credit card issuers may be well accustomed to assessing some of these costs to business; the model developed in this research suggests credit card issuers could also consider indirect costs of incentives, increased fraud windows, and cardholder expectations.
Card Issuers should analyze the intangible costs of not issuing cards on a breach before making a policy decision.