SAN FRANCISCO – The world's No. 1 card brand admitted last week that it is investigating a possible card security breach at a U.S. retailer, but it steadfastly declined to identify the retailer or to characterize the size of the potential breach. Credit unions around the country have been notified by Visa that anywhere from tens of card accounts to thousands may have been compromised in a breach that the card brand identified only as having to do with “a major U.S. retailer” or a “a nationwide U.S. retailer.” “Visa USA was recently notified by a U.S. merchant that it may have experienced a data security breach resulting in the compromise of Visa card account information,” the card brand said in a prepared statement. “Upon learning of the compromise, Visa quickly alerted the affected financial institutions to protect consumers through independent fraud monitoring and, if needed, reissuing cards. As in other large card security breaches in the last two years, there have been relatively few cards on which fraud actually occurred compared to the number of cards compromised. But sometimes the fraud has been enough to lead a CU to reissue the cards. The $102 million Carolina Trust FCU, headquartered in Myrtle Beach, South Carolina was told that it had 500 credit and debit accounts compromised and decided to close and reissue the cards after fraudulent activity was found on four of them. “Upon notice from Visa, Carolina Trust Federal Credit Union immediately began contacting and informing affected and potentially affected Visa debit and credit cardholders of the possible security breach of their account information,” Carolina Trust said in a prepared statement it released to the local media. “Preliminary Visa reports indicate that approximately 500 Carolina Trust members may have been affected. The Credit Union's Card Services department diligently worked to call and speak with each member personally about the incident. Following notification, the members' card accounts were closed, and a new Visa debit or credit card was issued,” the CU said. The $681 million Suffolk Credit Union, headquartered in Medford, New York, reported that at least 1,700 cards were identified as being possibly compromised and had begun urging its members via its Web site and call center to monitor their accounts for any unauthorized activity. While Visa has remained silent as to the cause of the card security breach, its statement hinted that the problem, once again, lay with retailers or merchant banks who have not followed the card brand's rules for card information security. “As Visa has said before, it's important that every entity that handles payment card information adhere to the highest data protection standards, such as the Payment Card Industry standard, to protect the security and privacy of their customers. Visa is aggressively partnering with entities across the nation to broaden adherence to these standards,” the card brand said. Sources close to Visa who did not want to speak for the record blamed the fear and responsibility for litigation for the card giant's reluctance to publish the retailer's name. They also noted that there may be more than one breach occurring concurrently and that it may be difficult to establish which retailer or merchant bank was responsible for which breach. On Feb. 14, Representative Barney Frank (D-Mass) sent a letter to Visa about the then rumored breach, asking the card brand to reveal the retailer who had been breached, pointing out that, absent that information, cardholders can often hold their financial institutions responsible for the inconvenience and damage fraud presents. “The party responsible for security systems that are breached by unauthorized parties should be the one to notify customers of the breach or, at minimum, should be identified publicly as the party responsible for the breach,” Frank wrote in his letter. “If there are legal impediments that prevent you from identifying those responsible for a security breach, I would like to know what they are in order to fix them.” Frank also hearkened back to the BJ's case where MasterCard had not revealed the retailer's name at first. “The effort to conceal BJ's involvement in that breach appears to have done more harm than good, encouraging numerous bank, credit union and consumer lawsuits seeking more than $13 million in claims against the company,” Frank wrote. “Had BJ's followed the example of numerous other retailers, universities and banks that publicly disclosed security breaches over the past year, and then worked with all parties to mitigate potential fraud, these problems could have been minimized.” Visa responded to Frank that, “Accusing a single source of the compromise before the investigation is complete could be inaccurate and unfair.” It would create a “powerful disincentive” for the compromised entity to share time-sensitive information with Visa, the brand said. But Jim Blaine, CEO of the $13 billion State Employees' Credit Union, headquartered in Raleigh, North Carolina, pointed out that the attention being paid to the larger card security breaches obscured the reality that these sorts of breaches have become an endemic problem in the credit union industry. “While everyone pays attention to the big cases, people forget that the smaller cases are happening all the time,” said Blaine, who said SECU pays tens of thousands of dollars every year to close accounts and reissue new plastics. “In the past we used to have to close accounts for people who were careless with their cards and lost them or who had them stolen out of their cars, purses or pockets,” he added. “But this is different; these are people whose information is being stolen sometimes long after they used their cards at that merchant, and without having the retailer identified it looks like credit unions are holding the bag for the breach.” [email protected]