Credit union and other card issuers got clarification from Visa and MasterCard this month on when they are contractually permitted to disclose the identities of merchants involved in data breaches. In substantially similar letters, both Visa and MasterCard stated that card issuers may identify merchants who are victims of a confirmed data breach. In the event that a data breach is only suspected, card issuers are permitted to disclose the identities of the merchant victim so long as the information supporting that suspicion is independently developed or procured separate from Visa or MasterCard. California and Nevada Credit Union Leagues had written to the two large card brands seeking advice.
The Visa and MasterCard letters were written in response to a May 18 inquiry from California and Nevada Credit Union Leagues’ president and CEO Diana Dykstra seeking clarification on the issue. “Most credit unions are under the belief that the networks prohibit, either by contractual obligation or by network rule, financial institutions from releasing the name or identity of a merchant that has been identified as responsible for a payment card breach,” Dykstra wrote. The ability to identify which merchant is responsible for a confirmed or suspected breach may help card issuers instill more confidence in their customers as they work to respond to any threat to their accounts or data.
Visa’s and MasterCard’s letters, however, do come with a word of caution. The companies note that publicizing unconfirmed breaches runs the risk of getting it wrong, causing harm to the wrongly identified merchant for which the card issuer may be liable, and could run afoul of state law. Additionally, premature disclosure of a suspected breach can cause customer confusion, weaken confidence in the payments system, and interfere with ongoing criminal investigations. Both Visa and MasterCard note that it is their policy not to disclose information regarding a breach until the breach is publicly confirmed and encourage card issuers to do likewise.