Bank of America is Protecting Merchants Who Lose Credit Card Data By Hiding Their Names

My small business has a Visa account with Bank of America so that our managers can have the ability to charge small expenses.  My personal corporate card is part of that account.  At least twice a year, I get the dreaded call from the bank telling me my card number was part of a data breach and I have to get a new card.  And then I have to spend hours and hours updating a zillion online accounts with new numbers, and I face weeks and months of past due notices from accounts I forgot to change.

I am willing to accept Bank of America's explanation that some merchant outside their system caused the breech.  So each time I ask the obvious question, "who was the merchant so I can stop doing business with them?"  And every single time Bank of America refuses to tell me.  For reasons beyond my reckoning, Bank of American and apparently the Visa system have a vow of Omerta in which they protect security-deficient retailers from scrutiny.  It is infuriating.  In a free society, we should not need the government to hold merchants accountable for data privacy, we should be able to do it ourselves as customers.  Apparently I am not the only one who is similarly frustrated by this.

Does anyone know of any Visa issuers that are more transparent about the sources of data breaches?  Is Amex better on this than the Visa/MC system?

Update:  From a Senior Fraud Analyst at Bank of America:

I am responding to an email you sent to us regarding the data compromise situation that keeps happening with your corporate card.

I do understand the frustration you experience.  We are not provided specific details about where the compromise occurred.  The compromise could have happened sometime in the past and it may not be limited to one specific merchant or processing center.  I do understand that  you not wanting to use the card at the site of the compromise, but keep in mind that when a merchant or processing center is compromised they likely took measures to improve their security, the continued compromises could be coming from different processing centers or merchants and not the same place each time.

My email back in response:

This is how banks invite regulation on themselves.  If Visa and the large credit card issuing banks were more transparent with customers about retailers that create data breaches, customers could take their own action to police irresponsible parties by taking their business elsewhere.  Ditto merchant processors -- we businesses could easily shift our merchant processing accounts.  But instead, by creating this sort of rule of Omerta where you protect the irresponsible party from public disclosure, people feel helpless.  It is in that environment that folks like Elizabeth Warren can create so much havoc with regulation.

By the way, please do not tell me to be comfortable that the offending merchants have already tightened up their security.  It has been nearly 18 months after the requirements that merchants accept chip cards to avoid extra liability and half the stores I visit still have the chip card slot on their credit card machines disabled.  No retailer is going to stop being irresponsible until you banks stop protecting the bad ones.  Look what happened at Target - they got a lot of bad publicity from their breach but you can be damn sure they were one of the first that were accepting chip cards.
  • Paul Stagg

    I closed my BoA credit card account for exactly this reason. I was spending far too much time changing the cc number a couple of times a year for all of the auto pays I had set up for my business.

    We asked repeatedly for the merchant information, and they repeatedly refused to provide it. We believe this is industry wide; the credit card companies don't want to alienate a merchant, especially when data breaches are often not really that serious, and the cancellation of the credit card is a precaution.

  • Not Sure

    B of A sucks. End of story.

  • herdgadfly

    Things are getting complicated out there with the hidden readers attached to gas station pumps and the more mysterious phenomenon where a duplicate of your card is used. But I will give Wells Fargo credit where due because they do computer scans of purchase patterns. On vacation I have received calls checking on a recent non-local purchase and on at least two occasions they have caught several of these purchases made by a duplicate card.

    My strangest experience was a thank you email from Macy's telling me that my new winter coat would arrive at an address in a South Chicago suburb ( I live in Indiana) so I notified Wells Fargo and got the transaction stopped and then I called Macy's credit department to advise them. I can tell you from the UPS notice that arrived later that Macy's didn't care enough to call UPS to stop delivery and the package was dropped on the front porch in Chicago five days later.

  • Adrian Monza

    I think in most cases, they probably don't know how the card was compromised, just that it was compromised. Identifying changes in purchasing patterns is relatively easy - there's a good bit of data from your previous purchasing and from known fraud patterns to figure it out. Determining how it was compromised is really, really difficult. You have to pull together enough compromised cards and trying to figure out the similarities between them, knowing that there are some unknown number of sources (merchant breaches, hidden readers, compromise of the user''s own computer).

  • thesafesurfer

    You are basically arguing that a data breach should cripple a business. I apologize in advance for my cynical view of humanity, but wouldn't that create a situation where one could rid themselves of a competitor by hacking them? Why don't you separate your personal corporate card by opening a separate account from your managers with a different Visa provider or even American Express?

  • Matthew Slyfield

    Switch to Chase. I have a personal VISA with chase. The last time I got a call that my card was being replaced due to a data breach they told me who it was (Target) without me even having to ask.

  • JonCB

    I wonder if they'd answer questions as to whether the merchant was PCI-DSS certified at the time of the breach. I believe part of the theory is that merchants who are PCI certified get protection (and fines apparantly) regarding breaches whereas if you're not certified you get thrown to the wolves.

  • Q46

    Why do you assume the merchant 'caused' the breach rather than being a victim of data theft?

    Isn't that kind of information between a bank and a customer privileged?

    Would the bank, in revealing such information, be liable in law for defamation and claims under tort for loss of business?

  • morganovich

    2 recommendations:

    1. chase sapphire has amazing customer service. that said, for some reason, that card gets hacked once a year and someone winds up using a physical copy of it somewhere. i suspect that is because i use it as my card for random internet purchases. i think that's just the price of shopping.

    2. get a second card and use it ONLY for accounts at places you trust (amazon, utilities, netflix, etc) i use an amex for that. then never use it anywhere else. this keeps it from getting stolen. i have been using the same one for 6 years with zero issues. the trick is to firewall it. that way, when your other card gets stolen, you do not need to change all your basic accounts.

    also:

    get samsung pay. it's amazing. you need a new samsung phone to use it, but it lets you store a card and use it anywhere from your phone. it actually creates a magnetic pulse that works with 95% of legacy readers. they do NOT need to be android or apple pay enabled.

    this adds massive security as each transaction is done with a one time number. there is nothing useful to steal. it also makes replacing your card instant.

    i can call chase, tell them there is fraud on my card, they will cancel it, send me a new one, and automatically replace the one on my phone. i will have a new, working card on my phone before the call ends. so, zero gap in usability.

    the real question is why we are not moving to a one time number system online. i suspect it's fee arb.

    if online fraud is 1% vs 0.25% for card present but you can charge a 3% fee vs 1%, of course visa loves it.

  • ErikTheRed

    You nailed it exactly. On a practical level, it's usually impossible to trace a card back to a breach because most breaches are small and unreported. Additionally, the black market web sites sell card info in batches that are mixed up from various breaches in order to better disguise their sources and maximize the illicit lives of the fake cards.

    Brian Krebs, a journalist who used to report on cybersecurity for the Washington Post (but left because he apparently has too many ethics and not enough fear), has an excellent website for laypersons with articles on this subject. He posts info and screenshots from underground web sites that deal in black market information, has flown to Eastern Europe to meet with cybercrime kingpins, etc. His nonfiction book "Spam Nation" (about the gangs that send spam) reads more like a techno-thriller. Generally speaking he's a good enough writer to make what is often a technical topic accessible and interesting to everyone.

    http://krebsonsecurity.com

  • Andrew Hunter

    Many cards allow you to issue "virtual numbers" at will - you can generate a new credit card number for every vendor, all of which charge the same account.

    I do not know how they handle these numbers being breached, but there's an obvious advantage here if they do it at all sanely.

  • Tim Broberg

    They know which side their bread is buttered on. You are not their customer, the merchant is.

  • jdgalt

    I would suggest that you subscribe to KrebsOnSecurity.com, an investigative blog which regularly reveals the sources of data breaches, and HaveIBeenPwned.com, a service that allows you to find out if your information was breached. (HIBP belongs to Troy Hunt, a very good web site security expert from Australia. You may also want to read his blog, TroyHunt.com.)

    Beyond that, all I can suggest is to use just one card, and check that account every couple of days (via the web) for unauthorized charges. Because no company or site is ever hack-proof.

  • ErikTheRed

    Many banks and cards now offer real-time usage information. AmEx gives me a real-time notification on my phone for every transaction that occurs (but only for cards in my name). My bank allows me to set up a huge number of alerts that send me SMS messages when transactions occur inside or outside of certain thresholds; I have these set up for all corporate cards.

  • ColoComment

    Somewhat off topic, but since customer service is sometimes discussed on this blog, I wanted to share the remarkable [systems] service at amazon.com. If amazon can provide this kind of individual contact and service, any financial institution of respectable size should be able to do similarly: be it a refund, adjustment of accounts/replacement account numbers, multiple authorized users, or whatever.
    Do note the last line of the amazon email notice.
    ***************************************************************************************
    Hello,
    We're writing to let you know we processed your refund of $0.49 for your Order xxxxxxxxx.
    This refund is for the following item(s):
    Item: [book title]
    Quantity: 1
    ASIN: xxxxxxxxxxxxxxxxxxxxxxx
    Reason for refund: Pre-order price protection
    Here's the breakdown of your refund for this item:
    Item Refund: $0.45
    Item Tax Refund: $0.04
    We'll apply your refund to the following payment method(s):
    Gift Card: $0.49
    This amount has been credited.
    The amount credited to your Gift Card balance should be automatically applied to your next eligible order on our website.
    Have questions about our refund policy?
    Visit our Help section for more information:
    http://www.amazon.com/refunds
    We look forward to seeing you again soon.
    Sincerely,
    Amazon.com
    We're Building Earth's Most Customer-Centric Company

  • regularjoeski

    FWIW- was at a talk by the head of cybersecurity for a large US state. He said that most data breaches of CC come from restaurants and the bank itself. He now pays cash for everything and uses direct deposit to pay bills. He also now uses one of the faraday cage wallets while overseas. Started that after a presentation where everyone in the rooms CC number was read.

  • Rick C

    If this happens so much, you should probably start keeping a list of all the merchants that have your credit card number so you don't have to remember them all.

    That is to say, it won't help with the basic problem any, but it keeps you from going past due because you forgot to update your credit card on someone's website.

  • Rick C

    Years ago a friend tried to use that. Supposedly you could get, with this bank, a one-time-use card number good for a certain amount of money. (So it couldn't be used more than one time even if it was stolen.) I don't remember what prompted this but he called their customer service and, when asked, was told the one-time use and dollar cap weren't real: the bank would happily let the number be used repeatedly.

  • progenitive

    Hmmm. Why in the world would you burden yourself with that inconvenience (using cash for all transactions)? The issue with credit card numbers being stolen is indeed quite common based on my experience, and once a year is about what I see. And this really pisses me off because of the inconvenience. And yet, I've never lost anything but the time it takes to deal with a new credit card number, and that's less inconvenient than trying to carry enough cash around (and, um, I guess avoid buying anything on the internet?).

    Hoping ApplePay gets more ubiquitous, and actually is a solution to most of this fraud. My last breach was a week ago... my Fidelity Visa card got used to book an Interjet flight, with manual number entry in Mexico. I get a text every time there is a transaction, so I knew about it instantly. Not sure why I would bother, but I quickly reported it, and as a result I lose my number, and have to deal with a new one. Have no idea how the number was stolen, or if it was just a random guess, but I do think the bank could avoid this quite easily by rejecting charges from random locations I've never been to.

  • ErikTheRed

    Yup. Tokenized payments are the future, and the future is (or at least should be) now. Samsung, Apple, or Google - any of them are infinitely better than credit cards.

  • Joe

    A while back I to was told by my bank that I needed a new card. When I went to get it I asked who was attacked and was told that they don't disclose that information.

  • I'm glad that at least you didn't have to pay for any fraudulent charges. If I'm not mistaken, Zero Liability doesn't apply to businesses.

  • Was going to write this, I second this. They may only know that a bunch of cards that they saw used in the same geographic location are all getting bogus charges all of a sudden, and they infer a breach.

  • tfowler

    One of my cards used to offer that, then later they dropped it saying there wasn't much demand for the service.