Bruce Schneier often talks about the response to data breaches, like the recent Heartland incident.  In a recent post, Bruce discussed how data breach notification laws encourage companies to improve their security.

While I’m all for encouraging companies to improve their security and see how breach notification laws can help with that, now that a breach has occurred, the next step should be to try to minimize the subsequent damage.

One method for minimizing data loss might be a bit controversial, but could also have a major impact on identifying the use of the stolen cards.  Here’s the idea (try not to judge it until you read the rest of the post): The credit card companies that cancel the impacted cards should privately publish the canceled card numbers to merchants.

This probably needs more explanation.  If the credit card companies had a certain set of merchants where they had very good working relationships – maybe some of the large online merchants, for example – they could give those merchants the list of card numbers that had been canceled.  Then those merchants could look for the canceled cards being used and flag that activity – and anything associated with it – as suspicious.  Since it is likely the bad actors will use the cards in batches and they won’t know which cards were canceled versus which were not, this is one way the credit card companies could help minimize the damage to the merchants.

Some people may be concerned about the privacy of credit card companies sending out credit card numbers.  There are three things to keep in mind about this.  First, the credit card numbers they would send out would not have any other information associated with them – they would just be card numbers.  Second, since the cards themselves would have been canceled, they are no longer owned by any person but are, instead, owned by the credit card companies themselves.  So there shouldn’t be any privacy concerns.  Third, I am not advocating that the card numbers be published on the internet for everyone to see.  Instead, they should be delivered via a secure mechanism only to merchants that are well known, trusted, and are interested in using them to take action.

What would be the right way to make this collaboration happen?