Last week the email marketing company Epsilon announced it had suffered a security breach that exposed an as-yet unknown number of personal email addresses to hackers. While Epislon and many of its affected clients – including Capital One, US Bank, LL Bean Visa Card, Citi, and JP Morgan Chase – were quick to reassure customers that the hackers gained no other sensitive information such as credit card numbers, this breach could still have big repercussions on anyone in the recurring-billing and online subscription industry.The reason: The hackers are likely to follow-up their email harvesting operation with targeted “phishing” scams, which send bank customers phony but official-looking email notices that ask people to update their account information. Unsuspecting customers who respond will inadvertently hand over their login info or even their credit card data to thieves, who then will use that information to hijack credit card accounts until the customer or the bank realizes that their account has been compromised and cancels those cards.As SecurityWeek reported, having stolen names and email addresses that can be tied to a specific bank makes it more likely that these phishing scams will succeed:
“Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher “hit rate” than a typical “blind” spamming campaign would yield.”
If that happens, there’s a good chance that some of the credit cards in your subscriber database will suddenly become invalid, leading to payment declines when you try to bill affected customers for monthly or annual subscription/membership fees.These wide-ranging security breaches are a major problem for the recurring-billing industry: In 2009 there were 498 major breaches that caused 72 million credit card accounts to be closed and re-issued, according to payment processing consultant Paul Larsen.Plan to monitor your subscriber or membership billing closely in the coming months for a rise in payment declines caused by invalid credit cards numbers. It’s also a good time to revisit your strategy for handling declined cards. If you’re not yet signed up for account updater programs offered by the major credit card networks and card issuers, ask your payment processor if you can get access to these programs, which allow you to check your subscriber credit-card database against a master list of re-issued credit card numbers.Also make sure you have a communication plan in place for reaching out to subscribers whose cards are declined. For example, Subscription Site Insider uses a three-message email series to ask subscribers to provide a new credit-card number whenever a payment is declined due to a card-on-file that’s no longer valid.It’s no fun when unrelated security breaches suddenly make more work for your finance or renewal-marketing teams, but it’s a lot worse to lose good subscribers due to bad credit cards.