My small business has a Visa account with Bank of America so that our managers can have the ability to charge small expenses. My personal corporate card is part of that account. At least twice a year, I get the dreaded call from the bank telling me my card number was part of a data breach and I have to get a new card. And then I have to spend hours and hours updating a zillion online accounts with new numbers, and I face weeks and months of past due notices from accounts I forgot to change.
I am willing to accept Bank of America's explanation that some merchant outside their system caused the breech. So each time I ask the obvious question, "who was the merchant so I can stop doing business with them?" And every single time Bank of America refuses to tell me. For reasons beyond my reckoning, Bank of American and apparently the Visa system have a vow of Omerta in which they protect security-deficient retailers from scrutiny. It is infuriating. In a free society, we should not need the government to hold merchants accountable for data privacy, we should be able to do it ourselves as customers. Apparently I am not the only one who is similarly frustrated by this.
Does anyone know of any Visa issuers that are more transparent about the sources of data breaches? Is Amex better on this than the Visa/MC system?
Update: From a Senior Fraud Analyst at Bank of America:
I am responding to an email you sent to us regarding the data compromise situation that keeps happening with your corporate card.
I do understand the frustration you experience. We are not provided specific details about where the compromise occurred. The compromise could have happened sometime in the past and it may not be limited to one specific merchant or processing center. I do understand that you not wanting to use the card at the site of the compromise, but keep in mind that when a merchant or processing center is compromised they likely took measures to improve their security, the continued compromises could be coming from different processing centers or merchants and not the same place each time.
My email back in response:
This is how banks invite regulation on themselves. If Visa and the large credit card issuing banks were more transparent with customers about retailers that create data breaches, customers could take their own action to police irresponsible parties by taking their business elsewhere. Ditto merchant processors -- we businesses could easily shift our merchant processing accounts. But instead, by creating this sort of rule of Omerta where you protect the irresponsible party from public disclosure, people feel helpless. It is in that environment that folks like Elizabeth Warren can create so much havoc with regulation.By the way, please do not tell me to be comfortable that the offending merchants have already tightened up their security. It has been nearly 18 months after the requirements that merchants accept chip cards to avoid extra liability and half the stores I visit still have the chip card slot on their credit card machines disabled. No retailer is going to stop being irresponsible until you banks stop protecting the bad ones. Look what happened at Target - they got a lot of bad publicity from their breach but you can be damn sure they were one of the first that were accepting chip cards.