In response to a request for comment on Frank's letter, Visa said in an e-mailed statement that it understood the need for quickly giving financial institutions the information needed to protect themselves and cardholders from losses in the event of a security breach.

However, 'accusing a single source of the compromise before the investigation is complete could be inaccurate and unfair,' the company said. 'Similarly, disclosing the name of the compromised entity would become a powerful disincentive for the compromised entity to share time-sensitive information with Visa' going forward, the statement said.

MasterCard did not respond to requests for comment.

According to a source working for a company now helping law enforcement officials investigate the fraud, most evidence suggests that point-of-sale systems at a California store of retailer OfficeMax were somehow involved in the compromise.

'All roads are pointing in that direction,' said the source, who requested anonymity. But it is still not clear exactly how the debit card and PIN information was accessed and by whom, he said, adding that about 200,000 cards may have been compromised.