Interview: Why American 1 Credit Union Decided to Decline Credit & Debit Card Transactions from Wendy’s.

Interview: Why American 1 Credit Union Decided to Decline Credit & Debit Card Transactions from Wendy’s.
Posted: Dec 8, 2016
Comments: 0
Author: Paul Castner

Bold Move Pays Off Positively for the Jackson, Michigan-based Credit Union.

Wendy’s restaurants, long known for its “biggie size” servings, might now be better known as a frequent target of “biggie-sized” data breaches resulting in massive credit card fraud.  Since the fall of 2015, according to one industry source, 1,025 Wendy’s point-of-sale systems in the United States were infected with malware during a five-month-long period.   While Wendy’s said they removed the malware, data breaches continued to reoccur in a number of locations including Jackson, Michigan, the hometown of American 1, a leading credit union in the region that vigilantly monitors member accounts for suspicious activity. American 1 says that to date, they have reached approximately $600,000 in fraud (about 150,000 doubles with cheese!) related to the Wendy’s breach leading to a decision that the credit union never imagined that they would have to undertake. 

In a bold move, American 1 elected to decline Wendy’s transactions made by members on their American 1 credit and debit cards until they felt the fast food chain and the franchisee had fixed the problem.  The decision to take this course of action was not taken lightly and involved approval and support by its board of directors.  In addition, members had to be made aware so they would not be taken by surprise when their American 1 card was declined at Wendy’s.  Since American 1 made this move, they have slowed the bleeding to a trickle and have received very positive response from their members as well as media coverage in local, national, and business news outlets.  What American 1 accomplished has prompted CSCU member credit unions to ask the question:  “Should we also decline Wendy’s transactions?”

CSCU’s Sr. Vice President of Finance and Technology, Tom Davis, interviews Martha Fuerstenau, Executive Vice President at American 1 Credit Union and Kristi Edgar, Vice President of Marketing and Communications at American 1 Credit Union, to find out more about why they made the decision, the process they used and what they would do going forward in the event a large-scale breach happen again.

TOM Davis: CSCU wanted to know how you decided to make the move to decline Wendy’s transactions and what you think now that you are several weeks into this.  Is it going the way you expected it to go?

MARTHA Fuerstenau:  The short answer is yes.  But the long answer is it was a difficult decision to make.  We didn’t know what to expect.  Our big concern was upsetting the mom in the drive-thru at Wendy’s with kids in the back seat and her card getting declined and having a horrible experience. We want our cards working all the time for our members because we want them to use our cards all the time. We didn’t immediately do a mass reissue, but we did reissue a significant number of cards throughout September.  After September, our card director, Amy Williams, was seeing compromises again on those cards that had already been reissued. And, anecdotally, she was hearing that as well in our community from other credit unions.  So, that is when we made the decision and our board of directors was very much behind it.  Before we stopped the transactions, we took five days to communicate the information to our members and it got picked up by our local newspaper.  This turned out to be a good thing because they basically reprinted our press release.  Also there was nothing but positive comments and also comments from other credit union members asking: “Why isn’t my credit union blocking Wendy’s?

TOM:  What data and what results were you seeing?  Was your decision to take this stand purely financial, part financial, and/or part heart?   What would you recommend to other unions to take into consideration before making a move like this?

MARTHA: The decision was certainly financial.  When we decided to move forward we were in week six of really high fraud volumes.  We were comparing it to the Home Depot breach where we took about a $550,000 hit. We learned a lot from Home Depot in terms of our reaction and we put a lot of tactics in place since then that helped to mitigate fraud.  Then we started seeing the same things happening with Wendy’s transactions.  Even though the dollar amounts were smaller, we were still seeing the fraud in our members’ accounts.  Today, we’re at over $600,000 for Wendy’s. Which is a lot of money for us.  We are a $300 million credit union.  Certainly the financials were a big part of our reaction but there was also a little bit of, I don’t know what to call it, other than “we were mad!”  Who is accountable here?  This is our members’ money.  And, we’re passionate about our members’ money.  And, maybe it helped that it was Wendy’s.  I’m trying to think of a retailer where we would have second thoughts.   For us, perhaps Meijer here in Michigan and certainly Walmart, too.  But with Wendy’s, there’s McDonalds, Burger King and everybody else and maybe they’re not a completely sympathetic merchant.  So, those were the two things we considered, both the financials and the retailer.  Like I said, it’s not like we went into it very confidently, we just did it and hoped that the message to our members worked. 

KRISTI Edgar: Also, before we made a decision, we took into consideration the PR nightmare that this causes when members are out there getting fraud on their accounts.  They don’t necessarily think of Wendy’s, but rather they think the problem is with the financial institution or the card issuer.  When you are reading things on social media, the media, or on blogs and members are saying: “American 1 did this or they did that and my card got hacked again at American 1,” that is a PR hit that we have to take. So we looked at this as an opportunity to educate our members and the community as to what really happened.  There was actually a scenario here where a member of our credit union went to the media and was complaining about having fraud on their account and mentioned American 1. 

MARTHA: That was right before we blocked.  And the headline read, “Bank drains member’s account,” I can’t remember what it was exactly…it was a kind of hysterical headline, and then, of course, it was one of our members and we were named in it.  It wasn’t the worst article we ever had because we had worse for Home Depot - we were named in the paper for Home Depot as well.  We felt like we had to go on the offensive and talk directly to our members

KRISTI: In order to prepare for that, we had five days and we were really trying to get the message out to our members as to why we were blocking Wendy’s…not just that we were blocking them, but why we were doing it.  We set up a page on our website that basically just educated our members and the community if they went there to read about what was going on.  The member communication got picked up by a lot of media outlets and then it was all over social media and I would say probably 90% maybe even 95% of the comments underneath were all in support of our decision.  And, our members were so appreciative that we took that extra step to protect them.  It was one of those things where we had many discussions about whether or not this was the right move, but we think by the end of the day, it was necessary to educate and protect our members.

TOM:  Looking back on your decision and how you handled things, would you do anything different?  Is there other data that you would have looked at that you didn’t consider at the time?

MARTHA:  Now that we’ve done it, we would do it again.  And, what my mission now is trying to talk to other credit unions to have them do it with us.  It turned out really well for American 1.  But, I really believe credit unions need to stick together.  I don’t think the banks are going to do it because it’s not the same thing for them, for whatever reasons, philosophically.  But for credit unions, it’s a no brainer, and yes we are probably losing a little interchange, we looked at how many transactions we had at Wendy’s and we calculated interchanges and we said yeah…we’re going to do it.

TOM: How much did EMV have an impact on this? Obviously reissuing EMV is a lot more expensive than issuing mag stripe.  Is this something that you considered? 

MARTHA:  We’re actually not on chip.  We came to the conclusion that we would have had the same experience anyway since Wendy’s doesn’t take chip.    Our instant issue business model is so important to us that we decided we weren’t going to do chip before we could do instant issue which is probably the first quarter of 2017.  FIS doesn’t even have us ready for debit yet. So, we’re not feeling urgency about EMV for a lot of reasons.    We’re going to do it, but we are ready to leap right to mobile.

TOM:  So, what are your next steps?

MARTHA: Standardizing a process is our next charge.  We will send you copies of our process documents so that you can share with other credit unions to use as a guideline for how to best approach similar situations.   The documents outline the process and how we are going to make decisions. 

TOM:  We would absolutely like to run that on our site and share with other credit unions when it is ready.

MARTHA:   That’s all we ask, is that we get a chance to talk about it and be heard!

Editor’s Note: As of November 18, 2016 American 1 restored credit and debit card transactions for all Wendy’s franchise locations.  American 1 Credit Union CEO David Puckett said, “After numerous conversations with both Visa and Mastercard, we feel confident that Wendy’s has been able to successfully contain their data breach and that our members’ card information will be safe when used at Wendy’s locations. Our members are our top priority,” continues Puckett. “We are committed to doing whatever we need to do to keep their information safe and secure.”


Rate this article:

Please login or register to post comments.


Featured Stories