Payment Card Fraud Sparks TensionsCard Issuer Points Finger at Processors Over Breach
First American has nearly 50 Chicago area locations and more than $2.5 billion in assets.
In a notice to its customers, the bank calls out Bank of America Merchant Services and Bank of America, the payment processors for the local taxi companies that use Taxi Affiliation Services and Dispatch Taxi to process card transactions, for apparently not responding in a timely fashion to the alleged breach.
"We have ... made repeated attempts to deal directly with ... the payment processors for the taxis to discontinue payment processing for the companies suffering this compromise until its source is discovered and remediated," First American Bank said in a statement. "These companies have not shared information about their actions and appear to not have stopped the breach."
A spokesperson for Bank of America Merchant Services tells Information Security Media Group the company "takes allegations of data security matters very seriously and follows all industry rules and legal mandates to investigate issues. We continue to work and cooperate with our industry partners on this investigation. At this stage, it has not been determined that a data breach of a merchant or any of our systems has occurred."
First American Bank has reported the suspected breach to MasterCard. In its statement, the Chicago bank says it's continuously monitoring activity on its customers' cards.
"Until the situation is rectified, we will continue to close and reissue cards that have been exposed," the bank said. "This interruption of card services has inconvenienced our customers while they wait for a new card."
The bank has also submitted a complaint to the City of Chicago Department of Business Affairs and Consumer Protection to get its help stopping the fraud, and it has shared information with the appropriate authorities. First American Bank is also asking customers not to use their cards in taxis until it's determined that the criminal activity has been stopped.
Gartner analyst Avivah Litan says it's very unusual for a bank to issue such a blunt statement. "I've never come across an issuer statement like this before," she says.
"I think the issuer did not get any results from the payment card network and acquiring processor [i.e. MasterCard and Bank of America Merchant Services] and the fraud rates are intolerable," Litan says. "They probably felt as if they had to go it alone and were not getting the cooperation they should have been getting from these other organizations. It's a sad statement about the payments industry that they forced First American Bank into a corner."
Christi Childers, associate general counsel and compliance officer at First American Bank, tells Information Security Media Group: "First American Bank issued the security alert because it is committed to protecting customers' uninterrupted access to their money. As a result of the breach in the payment process, and because First American Bank was unable to get the payment processors to discontinue processing payments for the companies affected by the breach, First American Bank did not see an end to that interruption since it had no other choice than to continue to cancel and replace cards until it knew that the breach was remediated."
Childers says that, as of Friday, Feb. 28, the bank had reissued 227 cards. The bank has seen 478 suspicious charges totaling more than $64,000.
MasterCard did not immediately respond to a request for additional information.