JPMorgan Chase may well be missing a trick here. There is a LOT of money to be made in prepaid. MasterCard is putting the global growth of the prepaid market as a whole at 27% CAGR – it’s already a big market and is set to grow further over coming years. Think all the money from prepaid is to be made in consumer prepaid? Wrong. The cards which JPMorgan will be withdrawing are primarily used for corporate payrolls and government tax refunds and benefits. MasterCard estimates corporate prepaid to account for $385bn of spend by 2017.

For retail banks, transaction banking is a pretty sure and reputable bet – never more so than now. With interest rates still rock bottom, some institutions do not see lending as a secure investment while others are saddled with non-performing debts which mean they are unable to lend. Prepaid on the other hand, both consumer and corporate, can be an extremely profitable business line.

Of course security is critical.  JP Morgan is not alone in suffering a breach; other prepaid systems have come under attack recently such as $45m heist in May 2013 which used a card cloning and unauthorised access to the prepaid card processing systems. However, attacks can be prevented, in some cases with quite basic security measures.

There is no silver bullet to safeguarding a prepaid card system from attack, but there are several best practice measures that do work and should certainly be applied to minimise risk. Stringent adherence to payment standards such as PCI DSS are a good start – and would have prevented several publicized attacks. 

I would, nevertheless, recommend additional measures over and above PCI DSS that would make prepaid card systems more secure without sacrificing ease of use.

EMV chip & PIN cards are an industry standard security measure and an effective defence against card cloning; and besides the obvious physical and IT security, a sound cyber defence strategy should include enhanced security measures for access to systems by operations staff: two-factor authentication to prevent password capture, maker-checker (whereby an individual employee / computer submits an action while another must approve it) for sensitive data entry such as changes in account ownership or large transactions, and  external monitoring for unusual behaviour such as large transactions or high volumes of transactions in a given period that cannot be tampered with even if the machine or process being monitored is compromised. None of these measures degrade the end-user experience and are entirely within the control of the bank to implement.

In short, this is a market worth playing in, but if you’re going to play, make sure you have the right kit.