Visa USA: Security May Have Been Breached

March 4, 2005 - By KENNETH R. GOSSELIN, Courant Staff Writer

As concern mounts over the vulnerability of personal financial information, Visa USA has told an undisclosed number of banks of a potential security breach involving Visa-branded debit cards used to make purchases at a national retailer.

Although Visa refused to identify the retailer or the number of banks, at least one bank in Connecticut is sending thousands of its customers replacement debit cards with new account numbers as a precaution to guard against possible fraud.

Webster Bank, one of the state's largest banks, is sending nearly 7,000 of its customers new check cards, which can serve as both debit and ATM cards. So far, Webster said, there has been no evidence of fraudulent use.

The disclosure comes amid two high-profile incidents that have put consumers' personal and financial information at risk.

Last week, Bank of America, the nation's third largest bank, confirmed that it lost computer tapes containing personal information on 1.2 million federal employees, including some members of the U.S. Senate. The loss could make the employees vulnerable to identity theft.

That followed the disclosure that ChoicePoint Inc., a data warehouser, had learned that personal information on as many as 140,000 consumers may have been compromised. Court documents show the breach was not the first at ChoicePoint.

Branded debit cards have grown in popularity in the past five years. Unlike checks, they are accepted by out-of-state merchants, but still pull funds from the checking account.

And they offer the convenience of a credit card without mounting a balance that is subject to interest charges.

In a written response to an inquiry from The Courant, Visa said it was told recently by a "U.S. merchant that it may have experienced a data security breach resulting in the compromise of Visa card account information."

"Visa immediately began working with the merchant, law enforcement and the affected member financial institutions to monitor and prevent card-related fraud," the statement from Visa said.

Visa's investigation is ongoing, the statement said.

Webster Bank spokeswoman Meghan Thompson said Webster was told by Visa that the problem involved a "national retailer" and centered on the improper storing of the three-digit security code on the back of the debit card when they were swiped for purchases.

And while that doesn't violate federal or state laws, it does violate Visa rules, Thompson said.

Webster wasn't told the identity of the retailer or the scope of the problem, except that it involved more than one bank, Thompson said.

"There wasn't much information given," Thompson said.

Bridgeport-based People's Bank, another large Connecticut bank, said it had not received a warning from Visa.

Rosetta Jones, a Visa spokeswoman, refused to provide further details about the incident, citing confidentiality agreements with banks and retailers. But she acknowledged that security breaches happen "from time to time."

And in those cases, affected banks are advised to step up fraud monitoring or issue replacement cards with new account numbers.

While not insignificant, the number of debit cards being replaced - 6,656 - represents fewer than 3 percent of the 250,000 check cards Webster Bank has issued, Thompson said.

"We wanted to do everything possible to protect our customers," Thompson said.

Jones stressed that Visa protects all cardholders from unauthorized purchases with its "zero liability fraud protection" that removes responsibility from the cardholder for any fraudulent purchases.