Visa Security Breach Q&A:

I understand there has been a breach of Visa card information. How big is this problem? How many cards were compromised?

A: While we cannot provide details of the compromise because of the sensitive nature of the ongoing investigation, we can tell you that Visa immediately began working with the processor as well as the affected Member financial institutions to minimize cardholder impact. As part of our regular procedure, Visa provides the compromised accounts to financial institutions so they could monitor the accounts independently and if needed, cancel and reissue cards as necessary. And of course, Visa security personnel are working with the proper law enforcement authorities.

It is important for Visa USA cardholders to know they are fully protected by Visa’s zero liability policy, which means they pay nothing in the event of fraudulent purchases. In the meantime, Visa will continue to work with our Member financial institutions, merchants, and appropriate authorities to protect Visa cardholders.

Q: When was it detected?

A: Visa was notified of the situation in late May and immediately began working with public authorities, the processor, and affected Member financial institutions.

Q: Why did Visa wait so long to inform Members and their PR teams?

A: Visa immediately began working with the processor, law enforcement and the affected Member financial institutions to monitor and prevent card related fraud. Visa respected law enforcement’s request not to compromise the confidential nature of the investigation by going public with this information as open communication of the situation may have compromised the integrity of the investigation.

Q: Why did MasterCard publicly announce this compromise and Visa didn't?

A: We can't speak for MasterCard’s actions. Visa immediately began working with the processor, law enforcement and the affected Member financial institutions to monitor and prevent card related fraud. Visa respected law enforcement’s request not to compromise the confidential nature of the investigation.

Q: MasterCard seems to have caught this compromise before Visa. Is their fraud detection process better than yours?

A: Absolutely not. Visa became aware of this compromise early and chose to take action quickly by informing Members and cooperating completely with law enforcement authorities.

Q: When was Visa going to inform Members of the compromise?

A: Visa has already been in touch with the affected Members, and we will continue to keep them apprised of any new developments in the case.

Q: There has been an unwritten rule in the card industry that compromises are not publicly announced in order that there is fast and frank reporting of breaches. With MasterCard announcing this compromise publicly, have the rules now changed?

A: We have always taken fraud, compliance and security issues seriously by first working with authorities, processors and Members to ensure no card accounts have been compromised and that all appropriate actions have been taken to prevent fraud. We will continue to work with authorities and Members to determine the optimal way to handle these incidents.

Q: Do you have a breakout of how many cardholders are affected at each Member?

A: We can’t provide Member-specific information, but we can tell you that 22 million Visa accounts may have been compromised.

Q: Has any fraud occurred on the compromised accounts? If fraud occurs, is Visa liable?

A: We have been monitoring the accounts using Visa’s neural network and have not yet seen any unusual activity or patterns. It is important to remember that cardholders are protected from fraud and any unauthorized purchased by Visa’s zero liability program.

Q: How did the compromise happen?

A: Because of the sensitive nature of the investigation, we’re unable to provide those details.

Q: How many potentially affected Issuers (financial institutions) did Visa notify to alert them to watch out for suspicious account activity?

A. Visa has thousands of Members worldwide; however, because we must respect the sensitive nature of this ongoing investigation we are unable to disclose that information. As soon as we receive any fraud related information, we immediately provide it to all of the affected Member financial institutions so that they may take the appropriate action with their cardholders.

Q: Were any other card brands impacted by the compromise?

A: We are not at liberty to discuss the impact to MasterCard, American Express, Discover or any other general purpose payment company. You should contact them directly for more information.

Q: Who is the processor?

A: CardSystems Solutions Inc.

Q. Is the processor compliant with your data security standards? If not, why not?

A. At the time of the compromise, the processor was not compliant with CISP, Visa’s security standards. Visa is continuing to monitor the situation and to work with the entity in question to help ensure that it is compliant with the highest security standards.

Q: Has Visa levied any fines?

A: Visa approaches CISP compliance very seriously. In the past, Visa has levied substantial fines against entities that have not been in compliance. As we investigate these matters, we will continue to take swift and decisive action. All fines are confidential between Visa and Member financial institutions.

Q. Will Visa require that the processor pay for/share the costs of reissuing credit or debit cards?

A. Not for reissuance. If Issuers experience actual fraud losses as a result of a data compromise at a non-CISP-compliant entity, then they can file a compliance claim to seek reimbursement for the amount of the fraud loss.

Q. How many companies are CISP/PCI -compliant? Roughly what percent of processors are now CISP/PCI-compliant?

A. We expect all entities storing, processing, or transmitting Visa cardholder data to be compliant with the PCI requirements. The number of entities that have validated their compliance grows daily. However, it’s important to remember that merchants should also be CISP/PCI-compliant, and with millions of merchants accepting Visa cards, this is a process that will take some time to achieve complete compliance validation. However, Visa has the strongest possible commitment to working with merchants to ensure customer information is secure.

Q. Did Visa inform cardholders that their cards and personal information was compromised? Were the cards cancelled to prevent fraudulent activity and if not, why not?

A. In all data compromise situations, Visa moves quickly to notify all the affected Issuers and provide them with the necessary information so they can monitor the accounts independently and if warranted, cancel and reissue cards as they deem appropriate. Those institutions will need to make their own determinations of what are the most appropriate actions to take regarding individual cardholder accounts. Institutions must weigh the risk of fraud against the potential disruption to cardholders whose cards are reissued without real fraud exposure, such as disruption of recurring payments, etc.

Q: What authorities are you working with?

A: Visa and the processor involved in this compromise are working with the appropriate authorities. Visa has a long history of extending its full cooperation to the federal and local authorities in such matters. Additionally, Visa is conducting an independent investigation in conjunction with this incident.

Q: With the rash of data compromises, this seems like an epidemic. What is Visa doing to control this clearly out of control situation?

A. Visa takes managing fraud seriously. That’s why Visa focuses on investments in the most advanced technologies to monitor and protect our system and cooperative efforts to quickly deal with any breach. And, it’s clear Visa’s comprehensive approach is making a difference: 1) the majority of compromised accounts result in very little fraud and 2) fraud within the Visa system is at an all-time low of just 5 cents per $100 transacted. That said, Visa continually reviews data security practices for possible improvement. It is noteworthy that the great majority of compromises have occurred in data processing environments that are out of compliance with Visa rules for protection of cardholder data.

Additionally, entities that touch cardholder information have a responsibility to protect it. It’s clear merchants and processors must do more. That’s one reason Visa was the first to introduce the first data security requirements for merchants called CISP. Compliance with CISP has been required of all entities storing, processing, or transmitting Visa cardholder data since 2001. More recently, the alignment of Visa’s Cardholder CISP and MasterCard’s Site Data Protection (SDP) Program has led to the formation of a worldwide standard for consumer data protection across the payment industry known as the Payment Card Industry (PCI) Data Security Standard.

Q: How does Visa manage these situations?

A: In a compromise, a number of factors may be involved and individual Issuers make the decision about reissuing and/or monitoring. For example, is it equipment theft? Was there a system intrusion with intent to use the data? The goal here is for Visa and the Issuer to respond quickly and manage the situation to minimize risk to the system and protect cardholders. We do this by:

· Continually monitoring for abnormal system activity;

· Quickly investigating and notifying issuing banks when a situation is detected;

· Resolving the source of breach with the compromised entity and shoring-up their data security practices.

Q: Isn’t it true that this breach is the largest breach in Visa history?

A: We are unable to get into any specifics given the ongoing investigation and can only say that Visa takes any breach of security very seriously.

Q: Will Visa be taking disciplinary action against the processor, especially since it was not CISP compliant?

A. It would be premature to suggest any type of action by Visa given that we are still investigating this matter. Visa is continuing to monitor the situation and to work with the processor to help ensure that it is compliant with the highest security standards.

In the past, Visa has levied substantial fines against entities that have not been in compliance. That said, the ultimate goal of the data security requirements is to get every entity to comply and to safeguard sensitive data and we would rather not be in the position of levying fines on anyone. In those cases where entities refuse to take security as seriously as we do, we will take the appropriate action.