MADISON, Wis. - The practice of capturing and storing card data in violation of Visa's regulations is more widespread among merchants than had been widely supposed. That is the preliminary conclusion of CUNA Mutual's ongoing investigation into merchant card practices which the insurer began in the wake of a card security breach at B.J.'s Wholesale Club in March, 2004. CUNA Mutual reported that its "extensive research" so far had revealed that "a large number of merchants" have been using point-of-sale software programs that capture the full magnetic stripe information from both credit and debit cards. This practice is in violation of Visa's card regulations, according to the $2.1 billion Pennsylvania State Employees Credit Union which is suing the big box retailer over the affair. CUNA Mutual has mailed the 100 credit unions that have reported losses stemming from the BJ's card breach and surveying them as to the extent of their losses from the incident. CUNA Mutual will also begun talking to Visa and MasterCard about tightening up their compliance regulations to clamp down on merchants violating their rules. CUNA Mutual expects that the survey results should be collected by early November, according to Marc Krasnick, senior vice president in the insurer's credit union protection area. "It's too early to say that we will be pursuing litigation," said Krasnick, "but we are keeping all our options open and have consulted outside counsel in case we determine to go that route. Krasnick said CUNA Mutual had not discussed the issue with any merchants directly, but had conducted a careful survey of the available public literature from press outlets around the country. He would not say why merchants might choose to keep the data in violation of Visa's rules, but speculated that some merchants may not be fully aware they are doing so. "The real issue is why they are using software that even allows them to do this," Krasnick said. "How is that possible?" Krasnick said CUNA Mutual has begun to meet with Visa and MasterCard to convey to both associations the importance credit union card issuers bring to this issue, Krasnick said, but added that the insurer would not recommend any specific rule changes. "I think our particular strength in this situation is that we speak wearing two hats," Krasnick said. "We are the insurer of the majority of credit union card programs in the country and we represent the interests of the credit unions themselves," he added. Mallory Duncan, senior vice president with the National Retail Federation said he was surprised at CUNA Mutual's findings and maintained that most retailers are very cautious about what card data they hold onto. "Certainly no responsible retailer wants to hold on to the data from a card's security track," Mallory said, "but many retailers hold onto the transaction data from a given transaction just in case something happens with that transaction where they need that record." Mallory pointed out as well that as individual retail chains move into their own cards and gift cards they also become steadily more aware of and cautious about security. "Retailers are definitely seeking to do the right thing," he said. -

[email protected]