As Banks Reissue Debit Cards, Experts Warn of More Compromises

More banks are reissuing debit cards as suspect transactions pop up throughout the United States and other countries, according to media reports this week. Investigators believe many of the transactions could be related to a security breach at a merchant facility in California that happened late last year, but the fallout from which is only now coming to light. These reports come in the wake of recently released figures from Visa USA that indicate just 17% of 231 large retailers are in compliance with industrywide data-security rules. At the same time, data-security experts say more such reports are likely in the coming months now that state disclosure laws are taking effect and as the publicity itself draws the attention of more data thieves. The Pittsburgh Post-Gazette is reporting today that Cleveland, Ohio-based National City Corp. is reissuing an unspecified number of Visa-branded debit cards with PIN-debit capability as a result of the apparent theft of card numbers. National City began notifying customers of the breach March 1. The paper reported that a Visa USA spokesperson linked the security breach to an undisclosed merchant. In the Tuesday statement, which Digital Transactions News obtained, Visa said, “Visa USA was notified by a U.S. merchant that it may have experienced a data security breach resulting in the compromise of Visa card account information. Upon learning of the compromise, Visa quickly alerted the affected financial institutions to protect consumers through independent fraud monitoring and, if needed, reissuing cards.” A Visa spokesperson would not comment beyond the statement. In January, Pittsburgh-based PNC Bank also reissued a number of Visa-branded debit cards for security concerns, the Post-Gazette said. Meanwhile, The New York Times is reporting today that New York City-based Citigroup Inc. is blocking transactions on an unspecified number of bank cards in Britain, Russia, and Canada after detecting suspect ATM transactions. The Times, citing unnamed banking-industry sources, linked the transactions to an alleged computer-security breach at office-supply retailer OfficeMax Inc. OfficeMax, however, denied having any knowledge that it is the source of the breach, the Times said. The alleged breach reportedly happened in 2005 at an OfficeMax facility in Sacramento, Calif., and could have comprised up to 200,000 debit card numbers (Digital Transactions News, Feb. 23). Bank of America Corp., Wells Fargo & Co., and Washington Mutual Inc. reissued cards in the wake of the breach, which investigators say may have been committed by Russian or Eastern European fraudsters. Computer-industry publication CNet News.com reported yesterday that at least seven financial institutions in Western Massachusetts reissued debit cards last week after hundreds of customers noticed suspect charges on their accounts from places like Spain, Pakistan, and Romania. CNet News, also citing unnamed sources, said some of the account holders had shopped at OfficeMax. In addition, a police detective in Leominster, Mass., told the publication that his department had received 29 reports of suspect debit card transactions since last week, and that of at least eight people interviewed, all had shopped at OfficeMax in the previous six months. It's too early, however, to draw any conclusions, the detective said. An El Paso, Texas, television station last week reported that authorities are getting reports of stolen debit card numbers in that area. And other press reports say a bank and credit union in North Carolina have reissued debit cards in the wake of suspected fraud. The increasing volume of reports doesn't surprise fraud-control expert Heather Mark, director of industry marketing at Santa Clara, Calif.-based data-security firm Vormetric Inc. An estimated 22 states now have disclosure laws that require banks or other businesses to report suspected data breaches, she says. Among the newest is New York's, which took effect in December. Given the proclivity of data thieves to try to outsmart security systems and the increasing publicity about data breaches, Mark doesn't expect reports of card data thefts “to stop any time soon.” Payment firms may turn to more encryption as an answer, she predicts. Visa, MasterCard International, American Express Co., Discover Financial Services LLC, and other card companies in January 2005 harmonized their individual data-security rules into a common set of rules known as the Payment Card Industry data-security standard. The rules, which mandate measures such as data encryption, firewalls, and regular anti-virus scans, apply to all organizations, including merchants, that handle card data. Data from Visa, however, show 83% of 231 large merchants are not yet in compliance. Some 75% have filed initial reports to the card companies indicating they are working toward compliance with PCI, while another 8% have filed no report at all. Visa will not name the merchants.