Visa CEO calls for data protection laws, incentives

- Visa USA Inc., the giant credit card company, is exploring ways to reward businesses that enhance their security practices to protect against credit card fraud and online scams, the company's chief executive officer (CEO) said Wednesday.

Visa supports legislation introduced in the U.S. Congress that would require businesses to notify affected customers after certain data breaches, as well as legislation that would require businesses that store personal information to comply with security standards, said John Coghlan, appointed president and CEO of Visa USA in July.

Businesses should be required to notify customers of data breaches based on an "analysis of the real danger" of customers being harmed, Coghlan said during a cardholder security summit in Washington, D.C., sponsored by Visa USA. Some members of Congress have pushed for customers be notified after all data breaches, not only when there's a large danger of identity theft or credit card fraud.

"We need to give the people out there information they can use to protect themselves from identity theft and its consequences, but we're not trying to cause or create panic," Coghlan told the audience of merchants and other Visa partners.

Coghlan also called for new laws that would increase penalties for credit card and data fraud. Visa supports a bill under consideration in Congress that would add two years in jail to existing penalties for criminals convicted of identity theft or computer fraud, he said.

Businesses need to work together to better fight identity theft and computer fraud because customers will lose confidence in electronic transactions if they continue to see major data breaches, said Visa officials and other speakers at the conference.

"This really is a critical business issue," said Marge Connelly, executive vice president for corporate reputation and government at credit card issuer Capital One Services Inc. "It's not just one of the concerns of the security department, or one of the concerns of the IT department."

Coghla said his idea to reward merchants and banks that improve security practices is in its infancy. Visa is also exploring ways to "make it financially attractive" for software developers to write secure applications, he said. One possibility is for Visa to make card acceptance easier for merchants that have strong security practices.

"We need a carrot as well as a stick to fight fraud," Coghlan said. "While we know that not harming customers is usually a great incentive, we are also asking ourselves, 'What other financial incentives can we create?'"

Even with better security incentives, a federal data protection law is needed, as multiple state and local governments are creating their own, often conflicting, data protection laws, Coghlan said. Twenty-one states have data breach notification laws that allow companies to delay notification until a law enforcement investigation is complete, but an Illinois law and a New York City law don't allow for a delay.

"How can companies comply with that?" Coghlan said. "How can customers develop realistic expectations regarding notification under that kind of inconsistent regime?"