MasterCard and Visa have confirmed to the California and Nevada Credit Union Leagues that card issuers are allowed under their network rules to divulge to members the names of merchants involved in data breaches, giving credit unions and other card issuers a significant opportunity to mitigate some of the reputational damage that often comes with breach-related card reissuance.

“Most credit unions are under the belief that the networks prohibit, either by contractual obligation or by network rule, financial institutions from releasing the name or identity of a merchant that has been identified as responsible for a payment card breach,” the Leagues' President/CEO Diana Dykstra said in a May 18 letter to Visa and MasterCard.

“Visa Rules do not prohibit an issuer from identifying by name a confirmed breached entity or a suspected breached entity when that information is independently developed or procured separate from Visa,” Visa Head of U.S. Government Relations Robert Thomson said in a written response to Dykstra's letter. “Where a data breach event is publicly confirmed, Visa Rules do not prohibit Visa from sharing that information with its clients, who are also free to share it with their consumer clients.”

MasterCard's response said materially the same thing.

“MasterCard alerts do not identify the merchant by name, often because those alerts are sent out early in the investigative process and the facts around the intrusion continue to evolve,” MasterCard Chief Franchise Integrity Officer Eileen Simon wrote in her response to Dykstra. “Should an issuer choose to inform its cardholders that cards are being reissued in connection with a particular event, that is an issuer's choice. That choice should be exercised based on information in the issuer's possession and should not be attributed to MasterCard.”

Dykstra applauded the news.

“One of my clients has gotten in the last year five card replacements,” she told CU Times. “It was Target, it was Home Depot, it was Adobe, it was Michaels and one was a regional grocery store. And her comment to me was, 'What's wrong with my credit union? They must have really bad security, because they replaced my card five times.' So it changes how we inform the member. We can say [something like], 'We have been informed that your card information may have been accessed, and we see that your card was used at, say, Home Depot between this date and that date, and as a level of precaution and protection, we are reissuing your card.' So the member no longer looks at the credit union and thinks we're weak.”

Naming names carries one very significant risk, however: Issuers might name the wrong merchant. That could create a host of legal and reputational problems, which is why in their letters the networks warned issuers to be careful.

“Importantly, during the initial phase of a potential data breach event, there is often insufficient information to confirm a source of breached payment card data or where initial information suggests an inaccurate conclusion,” Thomson wrote. “Therefore, to avoid disseminating inaccurate information, we suggest waiting for public confirmation of a data breach event before disclosing information to customers.”

Law enforcement might also request keeping the merchant's name confidential to avoid alerting fraudsters, he added.

“It'll be interesting to see how it plays out, but it is a big relief to credit unions to be able to tell their members why that card is being reissued,” Dykstra said.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.