Some banks are putting hacked credit and debit cards on watch lists, rather than replacing the cards.
Credit and debit card fraud cost the U.S. $6.15 billion last year, up 12.4% from the previous year, according to The Nilson Report industry newsletter. So you’d think the financial services industry, which shoulders most of the cost, would be proactive about quashing the use of stolen card data. But it may not make financial sense for your bank to replace your card—even if it knows the card has been compromised.
That’s because hacks go down in phases. One set of cyber attackers steals the information—say, by hacking into a major retailer like Target TGT -0.41% or Home Depot HD 0.53% . Those thieves sell that purloined plastic—or, more specifically, the data behind it—on online black markets and crime forums. There, a final set of fraudsters purchases the data to make unauthorized transactions. It’s an assembly line for digital iniquitousness.
If your payment card information hovers in limbo between those stages—up for sale on a baleful bazaar, but not yet in the hands of those anchor leg crooks—your bank may know it, because security firms trawl the “carder” underworld to compile lists of stolen data that they then sell to banks. But from there, “fraud is a numbers game,” says Ricardo Villadiego, CEO of one such firm, Easy Solutions of Sunrise, Fla. Since each reissued card costs the bank around $5, the expense of retiring a card may not be worth incurring until somebody starts misusing it. “Just because data has been compromised doesn’t necessarily translate to losses,” says Villadiego.
The bigger the bank, and the closer the stolen card is to its expiration date, the less likely the bank is to replace it, experts say. Banks and payment companies Fortune spoke to—including Chase CCF -0.32% , American Express AXP 0.54% , and PayPal—declined to comment about whether they use carder research services. But Avivah Litan, vice president at Gartner Research IT -0.30% , says bigger banks often find it more cost-effective to keep watch lists—and to act only if things get ugly for them, and you.