Officials at Metro Health Services Federal Credit Union knew something was amiss when, during a late-night test of a new computer system in early October, a metric that tracks rejected card transactions spiked.
“One minute after midnight, it spiked to 50 percent,” said Mike McDermott, president and CEO at Metro. A normal rejection rate is about 2 percent.
The culprit, it turned out, was a cybercriminal using a batch of pilfered credit card credentials compromised during the Home Depot breach that began in April and went unnoticed until September.
That incident resulted in the theft of information detailing 56 million customers’ credit and debit card accounts, including some from the Omaha metro area.
Breaches like the one at Home Depot mean big headaches for financial institutions, retailers and consumers, but for First Data Corp., the largest payments processor in the United States and with significant operations in Omaha, these problems have a unique affect, especially heading into the holiday shopping season.
On average, First Data processes about 2,000 transactions per second on any given day, according to company officials. During the peak holiday shopping season, that volume increases to about 10,000 transactions per second.
That makes the teams in the First Data Command Center at 73rd and Pacific Streets especially important.
There, the company staffs an around-the-clock support operation for merchants relying on the company’s expertise and products. A team of about 100 employees works during daylight hours and another team of about 55 employees works the night shift, said Dawn Baxter, IT director at First Data.
While fraud detection and mitigation is handled by a separate team of First Data experts in a different city, the Omaha data center situated below the company’s command center plays a critical role in safeguarding sensitive customer information.
Encrypted card and customer information is relayed from retail checkout terminals to the ultra-secure data center, where powerful hardware decodes and re-encrypts data during and after the transaction process.
Encryption happens in the blink of an eye, but even a millisecond of opportunity is enough time for cybercriminals to exploit weaknesses in payment systems that don’t encode it immediately, said Paul Kleinschnitz, senior vice president and general manager of First Data’s Global Cyber Security Solutions team.
“The way to solve this problem is to protect the crown jewels. It’s not good enough to protect the fort anymore,” Kleinschnitz said. “In our world, that’s the credit card number. We refer to it as devaluing the card through encryption, tokenization or both.”
Tokenization is a separate process from encryption in which a unique series of identification symbols is generated and substituted for payment data for each transaction.
Kleinschnitz said the most secure payment platforms use both encryption and tokenization so that, even if data are stolen, they’re indecipherable.
“At the millisecond the transmission goes through, malware either won’t recognize it or it will, but it’s not actually a number, it’s a token, and it’s useless on the black market,” he said.
At a veritable credit card factory in north-central Omaha staffed by a team of about 500 First Data employees, the company produces up to 100 million cards each year. Many of them have new technology that security experts like Kleinschnitz hope will marginalize cybercriminals.
As a result of data breaches over the last year — including the late 2013 breach at Target, in which about 40 million cards were compromised — the facility has manufactured and reissued “millions upon millions” of new cards, a company spokesman said.
“Any time there’s a big compromise, we definitely feel it,” said Rick Burns, the facility’s operations director.
Compounding demand is an industrywide shift to chip technology, or EMV, a relatively new and more secure feature on cards that uses microchips to store sensitive information. That information has long been contained on easy-to-counterfeit magnetic stripes.
The goal is to thwart data thieves who have so far in 2014 tallied 679 breaches and have exposed more than 81 million records in the process, according to the Identity Theft Resource Center.
Through mid-November, that’s an increase of more than 25 percent over the same period last year.
Meanwhile, the average cost to individual cybercrime victims increased from $197 in 2012 to $298 in 2013, technology security company Symantec reported in its annual cybercrime report.
So what’s the best way to protect yourself as the holiday shopping season commences?
Experts offer a variety of strategies, including relying on your bank’s safeguards.
“Your card is still the safest way to pay,” said Steve Eulie, president of Omaha-based First Bankcard, a division of First National Bank of Omaha.
He notes that in the event that card data are at risk, First Bankcard, one of the 10 largest Visa issuers in the U.S., has its own dedicated team of 60 employees who work around the clock all year long to monitor and prevent fraudulent card transactions.
“These people and processes know you, your behavior and how and when you tend to shop,” Eulie said.
Activity far outside of a customer’s normal geographic area, for example, immediately raises a red flag that First Bankcard security employees can further investigate.
Eulie discounts the idea that credit is better than debit to an extent. “The risk is the same and customer liability is zero for either one,” he said.
But security advocates, including the Federal Trade Commission and Frank Abagnale, a security consultant who was the subject of the 2002 film “Catch Me if You Can,” recommend using credit cards instead of debit cards because they come with stronger federal protections in the case of fraud.
While companies like Visa and MasterCard say they won’t hold you responsible for fraudulent charges on a compromised debit card, any money lost comes directly out of your bank account. That can put a temporary strain on finances.
Despite high-profile breaches that shook consumer confidence in affected companies, data show that both shoppers and retailers are recovering.
Target beat Wall Street expectations with its Nov. 19 earnings report.
A report from accounting firm Deloitte indicated that while 42 percent of shoppers have concerns about the security of personal data in stores, 56 percent said they still would shop at retailers affected by breaches.
Eric and Tara Domkow- ski, health care workers from Ainsworth, Nebraska, who were shopping at an Omaha Target early Monday, said the Target breach did make them think more about security, especially because they do a lot of shopping online.
“I consciously didn’t shop at Target online for a few months after the breach,” said 28-year-old Tara.
However, Eric Domkowski, 29, said that living in Ainsworth in north-central Nebraska requires a certain trust in the security measures of retailers.
“It’s in the back of my mind all the time now, but it’s a risk we have to take,” he said. “I just hope that (Target) has enacted better security measures.”
Contact the writer: 402-444-1534, email@example.com