In two letters sent to Diana Dykstra, the President and CEO of the California and Nevada Credit Union Leagues, both MasterCard and Visa have confirmed that, under their network rules, card issuers are permitted to disclose the identities of merchants involved in data breaches in certain circumstances.
In MasterCard’s letter dated June 3, 2015, Eileen S. Simon, the Chief Franchise Integrity Officer at MasterCard, stated, “[N]othing in our contracts or network rules prohibits a financial institution from identifying a breached merchant when reissuing a payment card to a customer . . . [s]hould an issuer choose to inform its cardholders that cards are being reissued in connection with a particular event, that is an issuer’s choice.”
Visa’s letter, which is dated June 9, 2015, contained substantially similar, but somewhat narrower, language. The letter confirmed that the “Visa Rules do not prohibit an issuer from identifying by name a confirmed breached entity or a suspected breached entity when that information is independently developed or procured separate from Visa.”
Both card brands cautioned issuers on identifying merchants prematurely due to the accompanying reputational and legal risks. Robert B. Thomson, the Head of U.S. Government Relations at Visa, advised issuers to wait “for public confirmation of a data breach event before disclosing information to customers.” Furthermore, law enforcement officials may mandate that an issuer keep the merchant’s name confidential to avoid fraudsters.
This is a potentially significant development, as merchants who may have suffered a breach attempt to make well founded and thoughtful public disclosures (which may take time), while still balancing the need to supply requested information to the card brands as and when requested.