Credit Unions May Disclose Breached Merchant Names

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cutimes.com/2015/06/16/credit-unions-may-disclose-breached-merchant-names

MasterCard and Visa have confirmed to the California and Nevada Credit
Union Leagues that card issuers are allowed under their network rules to
divulge to members the names of merchants involved in data breaches, giving
credit unions and other card issuers a significant opportunity to mitigate
some of the reputational damage that often comes with breach-related card
reissuance.

“Most credit unions are under the belief that the networks prohibit, either
by contractual obligation or by network rule, financial institutions from
releasing the name or identity of a merchant that has been identified as
responsible for a payment card breach,” the Leagues’ President/CEO Diana
Dykstra said in a May 18 letter to Visa and MasterCard.

“Visa Rules do not prohibit an issuer from identifying by name a confirmed
breached entity or a suspected breached entity when that information is
independently developed or procured separate from Visa,” Visa Head of U.S.
Government Relations Robert Thomson said in a written response to Dykstra’s
letter. “Where a data breach event is publicly confirmed, Visa Rules do not
prohibit Visa from sharing that information with its clients, who are also
free to share it with their consumer clients.”

MasterCard’s response said materially the same thing.

“MasterCard alerts do not identify the merchant by name, often because
those alerts are sent out early in the investigative process and the facts
around the intrusion continue to evolve,” MasterCard Chief Franchise
Integrity Officer Eileen Simon wrote in her response to Dykstra. “Should an
issuer choose to inform its cardholders that cards are being reissued in
connection with a particular event, that is an issuer’s choice. That choice
should be exercised based on information in the issuer’s possession and
should not be attributed to MasterCard.”

Dykstra applauded the news.

“One of my clients has gotten in the last year five card replacements,” she
told CU Times. “It was Target, it was Home Depot, it was Adobe, it was
Michaels and one was a regional grocery store. And her comment to me was,
‘What's wrong with my credit union? They must have really bad security,
because they replaced my card five times.’ So it changes how we inform the
member. We can say [something like], ‘We have been informed that your card
information may have been accessed, and we see that your card was used at,
say, Home Depot between this date and that date, and as a level of
precaution and protection, we are reissuing your card.’ So the member no
longer looks at the credit union and thinks we're weak.”

Naming names carries one very significant risk, however: Issuers might name
the wrong merchant. That could create a host of legal and reputational
problems, which is why in their letters the networks warned issuers to be
careful.

“Importantly, during the initial phase of a potential data breach event,
there is often insufficient information to confirm a source of breached
payment card data or where initial information suggests an inaccurate
conclusion,” Thomson wrote. “Therefore, to avoid disseminating inaccurate
information, we suggest waiting for public confirmation of a data breach
event before disclosing information to customers.”

Law enforcement might also request keeping the merchant’s name confidential
to avoid alerting fraudsters, he added.

“It'll be interesting to see how it plays out, but it is a big relief to
credit unions to be able to tell their members why that card is being
reissued,” Dykstra said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!