If your bank tells you that your credit card information was stolen from an online merchant you bought something from, it only makes sense that the bank also tell you which e-tailer failed at protecting your information. But the banks say they can’t share this info because the folks at Visa and MasterCard prefer to keep that information private lest you stop doing business with the sources of the leaked information.
The L.A. Times’ David Lazarus has the story of a BofA credit card customer who proactively contacted the bank to let it know he’d be making an online purchase from an overseas company. But when he called BofA, he was told that a data breach at an unidentified online business had compromised his card.
But when he asked which company was involved, the man says he was told, “we don’t tell the customer for fear of retaliation [against the merchant]… You might stop doing business with them.”
A BofA rep told Lazarus the CSR should not have said this to the customer, but admitted that the bank is often not told by MasterCard or Visa about the source of data breaches.
This was confirmed by a Visa rep, who said that revealing the identity of businesses with bad online security “would be a huge disincentive for the breached entity to come forward early and to cooperate with us in the investigation.”
A MasterCard spokesthing said that the company provides “the information necessary to protect potentially at-risk accounts from fraud,” completely glossing over the fact that an inability to protect credit card data might be information that could help protect all credit card customers.
Of course, when it was revealed that up to 1.5 million Visa and MasterCard accounts had been stolen from a third-party payment processor, the two credit card companies had no problem publicly naming the processor.