Mainstream media outlets seem to have moved beyond the subject of corporate data breaches to more arcane means of data theft like reading the smart chip embedded in individual credit cards. Most retailers have spent the time and money to become PCI compliant, so all should be well, right? Well, not exactly. Data breaches are alive and well, and while US consumers are not bearing the direct costs right now, sooner or later the impact of these thefts is going to show up buried in some price increase or another.

This past Thursday I received a call from the Fraud Department of my Mastercard issuer. In general, this particular bank is incredibly aggressive in monitoring my account against fraud — to the point of embarrassment. I’ve had my card declined on at least three occasions because a purchase didn’t seem to fit my pattern. When I call Customer Service and ask “What are you doing to me? “ I’ve received varying replies, most of which are odd and point to the use of old, bulky, ham-handed technology.

• “Well, your card was swiped by the same store twice within two minutes — that’s a red alert for us at this particular retailer. “ Seriously? Am I the first person who had an item missed in the checkout line at a pet supply store in Aventura? Three times in a row might merit an exception alert, but twice? Really?
• “We noticed your card was being used in New York City — that’s unusual for you. “ Really? Do I not use that card every single year in the middle of January at the NRF Big Show in New York City? And why was that less of a red flag then me using it in St Croix two weeks prior? I travel at least 12-15 times a year. Why was this trip to New York any different than any other trip? And where’s the apology? Nothing says You’re a poseur like taking someone out for a business dinner and having your credit card declined.

The last time this happened (the New York City affair), after much discussion, the issuing bank agreed to call me on my mobile first, before putting a fraud hold on my card. That seemed reasonable. So when my phone rang and the caller announced she was from the bank’s fraud department, I thought “I wonder what I did to trigger a fraud alert this time? Maybe it didn’t like that restaurant I ate at. Maybe I bought an inappropriate book. “ I mean, who knows? Whatever software these guys are using is dumb as a rock.

Turns out, the caller was informing me that MasterCard had informed the bank my card was included in a serious data breach and had to be immediately de-activated. Being me, I tried to find out who had experienced the breach. My bank claimed to have no knowledge of that; only MasterCard itself knew that answer. As an aside, the CSR actually asked me “Do you need us to send a new card out to you overnight? “ Uh, let’s see… I use the card for thousands of dollars of purchases, and you’re even asking? Of course the answer was “Yup. “

So now I’ve got my new card, and I’ve got to find all the places that actually have that card number on file (more than a few — it’s a card that gives me air mileage, so I use it all the time). I’m willing to bet the retailer is PCI compliant. I’m willing to bet the theft involves thousands if not millions of cards. And it’s not even news.

I’ve got two issues here, one of which raises its head every time my card gets declined for no good reason. There is a whole universe of fraud detection technology firms. I’m not going to do a vendor round-up here, but I’ve certainly had briefings from enough of them. My card is issued by a VERY large bank. Can’t it do better with its fraud management than it has so far? Any fraud alert technology worth its salt would be able to detect that a) I travel frequently and b) there are certain places I go more than others…my parents live in NY, so I don’t just go there for business. I GO there. Even more often than I go to St Croix.

My other issue is just how much we’ve become inured to data breaches. It could well be that having forced the retail industry to spend millions on PCI Compliance, Visa and Mastercard are just a bit embarrassed to find data breaches still occurring. I frankly never thought PCI Compliance was a permanent solution — the bad guys are always getting smarter. We’re moving on to Near Field Communications, iPad and iPhone based POS systems (I LOVED paying for my dinner on Food Truck Tuesday by having my card swiped by the vendor’s iPad), and other means of making payments via mobile devices. There will be more tricks added to the bad guys’ bag.

It’s time for the banks to get serious about real and sophisticated fraud management solutions. It’s not reasonable to think data breaches will miraculously be halted by any particular standard. An explosion of selling channels promises to be accompanied by an explosion of exploits on those channels. It is VERY reasonable to expect pattern recognition software to notice a problem quickly, and then start the forensic investigation immediately. Now is the time to get this in good working order.