In the wake of a data-breach disclosure by TJX Cos. Inc. last week, Visa U.S.A. Inc. is considering requiring retailers to disclose their role in all such breaches to issuers.
The decision follows a string of incidents, played out over the past few years, in which issuers have complained about being kept in the dark after big breaches.
Neither Visa nor MasterCard Inc. currently has a policy demanding disclosure. Retailer responses to past incidents have ranged from total silence to the detailed mea culpa offered up by TJX last Wednesday, about a month after its breach was first discovered.
According to Michael E. Smith, Visa's senior vice president of enterprise risk and compliance, big breaches typically leave the association handling numerous issuer demands for the name of the merchant involved — a task, he says, that distracts Visa from investigation and containment.
But TJX's disclosure in the latest incident helped stem the tide of complaints, he said — and has led Visa to wonder whether all culpable retailers should be required to take the same medicine.
"We're taking lots of notes on this one," he said in an interview Tuesday. "When we have our post-mortem … we will be revisiting some of [our] policies."
Banking executives say that knowing the source of a breach can make it easier to track down compromised accounts, and that speedy disclosure can reduce losses. Their frustration with the situation has caused more than a little rancor in the past.
"Our bankers are angry," said Bruce E. Spitzer, the director of communication for the Massachusetts Bankers Association Inc. "They don't want to take the blame for this."
Visa expects its review of the breach to take six to eight weeks, according to Mr. Smith. When asked if that review could lead to a mandatory disclosure rule, Mr. Smith said, "I think that is a fair statement."
However, he also said that naming the affected retailer may not always help stop fraud. And even if Visa did require retailers to tell issuers when they suffer a breach, it is unclear whether the association would allow issuers — who have to mollify unhappy cardholders — to share this information with their customers.
TJX, whose brands include TJ Maxx, said it discovered last month that hackers had accessed its transaction systems. The Framingham, Mass., retailer disclosed many of the details in a press release last week. There are still some unanswered questions, such as the scope of the breach, but in admitting its role, TJX answered one of the biggest questions that follow such breaches: Where did it happen?
"We certainly do encourage the party that has been compromised to be transparent, as transparent as possible," but that does not always happen, Mr. Smith said.
OfficeMax Inc. was widely reported to be the target of a major breach that was discovered in March 2006, but the Itasca, Ill., company repeatedly denied that it was at fault.
Mr. Smith said many of the companies that have disclosed breaches have done so in part because state laws have required it.
The inconsistent disclosure policies have made it difficult for some financial companies to assess the effect of breaches.
When Wal-Mart Stores Inc. said in November 2005 that data had been stolen from its Sam's Club division, banks scrambled to determine whether any of their cardholders had been affected. Though Wal-Mart said "approximately 600" accounts had been compromised, several banks said then that this number likely underestimated the impact.
Mr. Smith also said that fraud can be spotted without knowing the identity of a breached retailer; Visa assigns codes to each affected account, so issuers can adjust their risk scores when allowing transactions on those accounts. The codes are a practical alternative to reissuing the affected cards, he said.
Still, knowing where a breach originates gives issuers more data to work with and can allow them to fine-tune their antifraud efforts.
"I know that a number of them have, in this case, taken the fact that TJX has gone public and done some additional analysis around the accounts" that Visa has red-flagged, "to pinpoint if we've missed anything, because that's certainly a possibility, or if we have over-sent information, which is a possibility." Mr. Smith said. "And then, of course, with that information, they would be well served by doing their own fraud analysis."
He also conceded that, in some cases, naming merchants may not have a substantial effect on fraud. "Every one of these compromises is unique," he said.
In an e-mail, MasterCard said, "Disclosure timing is the responsibility of the breached entity." The name of the merchant that suffered the breach is not as important as "knowing which accounts are at risk," the company said. "Therefore, obtaining those accounts is most important."
Mr. Smith said that even if Visa requires merchants to tell issuers when there is a breach, it may consider that information proprietary, and that issuers would need to confer with Visa before telling consumers which retailers are at fault.
That possibility does not sit well with bankers.
Mr. Spitzer said that informing consumers is just as important as informing the issuers.
In past breaches, when the retailer's identity was kept secret, customers assumed the bank was at fault, he said. "This is not a problem that was caused by our industry, yet we are absorbing most of the cost for someone else's mistake."
Beyond the question of blame, the information is useful in spotting fraud on the affected accounts, Mr. Spitzer said. Banks can "do some forensic investigating" with the information. "They've all said to us that it's been helpful."
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said that even though many states already require retailers to disclose breaches, a similar rule from the card associations would still have an effect.
"It's kind of like federal law preempting state," she said. "It would make it much more clear anytime you have a breach."
Though Visa said its practice of providing information to help issuers identify compromised accounts is effective, Ms. Litan said, "None of the issuers solely rely on Visa's fraud system."
Issuers want to perform their own evaluations, and the name of the affected retailer is a key detail, she said. "If the issuers know the retailer, presumably they can put other fraud controls in. They could build their own correlations. Issuers that I've talked to want that kind of information, and they can't get it."
Visa's plans for updating its rules may be more than talk, Ms. Litan said. "It's very likely" that the association will require more disclosure, "especially if the issuers are pressuring Visa."
