RANCHO CUCAMONGA, Calif.–The California and Nevada Credit Union Leagues reported they have received official confirmation from Visa and MasterCard that there is nothing in the network rules or contracts to prohibit a credit union from naming a merchant when communicating with members following a security breach.
In a statement, the leagues said that that both Visa and MasterCard had confirmed the policy in writing, but the leagues also noted, “However, Visa and MasterCard warned of potential consequences when identifying merchants.”
The letters were a response to a letter from Leagues’ CEO Diana Dykstra.
According to the leagues the inquiry is one of several initiatives they have undertaken as part of an ongoing advocacy effort to hold merchants accountable for securing consumer data. In addition, the leagues said, making credit unions aware of Visa and MasterCard’s response is another tool the Leagues are using to educate legislators and consumers about the lack of merchant security that “exacerbates the harmful effects of a data breach.”
According to the leagues, credit union leaders have been under the impression that payment network rules or contacts prohibit credit unions from telling members where personal information was breached. Moreover, the leagues said, there have been conflicting reports as to whether this was a rule or part of contract agreements signed for services.
“The response from Visa and MasterCard is an important step,” said Jeremy Empol, vice president of federal government affairs for the Leagues. “Congress wants to see our industry do what it takes to make changes as it works on updating laws related to notification, reimbursement, and standards. Clarifying points such as these greatly assists in the legislative process.”