Visa U.S.A. is considering imposing a fine on Bank of America Corp. in response to a recent data breach involving hundreds of thousands of compromised customer PINs.
But the most Visa can charge an acquirer for a merchant's noncompliance is $500,000.
The February breach likely occurred at a large office-supplies retailer that was improperly storing customer data in violation of the Payment Card Industry standards.
A source close to the investigation said Wednesday that criminals targeted debit card data stored by OfficeMax Inc. at about 30 of its 945 U.S. stores, mainly on the West Coast and in the Southeast. The source also said that Visa would fine Bank of America, though it was too early to say how large such a fine would be.
The stolen account information has since been used to initiate transactions in at least three countries. In response, Citigroup Inc. blocked all PIN-based transactions initiated in Canada, the United Kingdom, and Russia.
William Bonner, a spokesman for OfficeMax, of Itasca, Ill., reiterated Wednesday that the company has no "knowledge of a security breach."
Visa would not confirm that it plans to fine anyone involved in the incident, but it has done so after past breaches. Visa said that it has imposed roughly $15 million in such fines to date.
Under the terms of their contracts with B of A, both Visa and MasterCard International can fine the banking company for failing to ensure that its merchants are compliant with the standards.
It is unclear whether MasterCard also plans to fine the acquirer. Jessica Antle, a spokeswoman for MasterCard, said its policy is not to discuss such fines and that it is too early to say what type of fine could be levied in this case. MasterCard has also fined merchant acquirers in the past for failing to comply with the PCI standards.
Acquirers, merchants and other companies are often fined or sued for not protecting customer data or storing it improperly.
For example, ChoicePoint Inc., which was at the center of a massive data breach last summer, paid $15 million in fines to the Federal Trade Commission.
And banks and credit unions sued BJ's Wholesale Club Inc. for a 2003 breach, demanding $13 million in restitution for unauthorized charges involving 40,000 credit and debit cards.
Betty Riess, a B of A spokeswoman, said her company's policy is to not name its clients. But she confirmed that the Charlotte banking company is reissuing debit cards that are linked to the breach. Citi, Wells Fargo & Co., and Washington Mutual Inc. have all said they are also reissuing cards to customers.
Libby Hutchinson, a Washington Mutual spokeswoman, said the Seattle thrift company is aware of the breach but has not followed Citi's lead by blocking transactions from other countries. She said Wamu is closely monitoring international activity on its debit cards.
