[PCWorld]

Post your comments for Heartland has No Heart for Violated Customers here

[boston2boulder]

You missed the big story on this one. The headline is “Heartland steps up and admits a problem.” Heartland’s reputation and history of being the first to publicize price reductions in the Visa / MasterCard interchange cost network are legendary. They were at the leading edge of companies who stepped forward on day one to get merchants their rebates via the Wal-Mart settlement. Theses are cases where Heartland could have gained millions in profit, and instead, put the consumer first.
I do not believe you (PC World) understand this industry. Heartland has publically sounded the alarm from events they themselves just learned of. Yes, they were hacked in the past. They just found out themselves.
Soon you will come to find out that all the major credit card acquirers have been compromised. This will come to the surface because Heartland has stepped up and owned the problem / solution. Since you stand tall on the mountain of ethical judgment…I will be curious to see if you extend kudos to Heartland for being the one who sounded the alarm. I am sorry to say so, but I doubt it.
It is absurd for you to suggest that they contact every person who ever used a card even if there is no evidence of foul play. Let’s face it. We, the consumer have a responsibility to monitor our finances and statement balances. We seem to understand that people steal cars, so we lock them. We get that folks steal wallets, so we protect them.
What do I do? Simple. Twice a year I close my account and start a new one with fresh account / routing numbers. It takes about 30 minutes.

I accept the fact that thieves will eventually outsmart the system, and when they do, the system will upgrade. They will eventually compromise the system, and we will upgrade it again. Etc, etc, etc. Even a child can understand that hackers (who many in the PC community hold up as heroes, which I find very odd…) will keep going until they succeed.
I see that card information is compromised. Please now furnish us with examples in this case where someone has lost money (Besides Heartland in its effort to make this right.)

[js567]

Hi boston2boulder, Are you an employee of Heartland? Its hard to believe that you are an independent person with no links to Heartland

[jimf]

Actually, the headline here should be: "Credit industry screws up again -- Customers to blame for actually expecting the credit industry to live up to their end of the consumer confidence bargain."

By and large we the consumers DO keep track of our finances, and when we find problems that scream FRAUD and IDENTITY THEFT, we call our financial institutions, any retailers involved, and our credit reporting bureaus, only to be bombarded with paperwork, accusations, red tape, fees, and have our credit rating shot to hades. And the list goes on, from Boston to Boulder -- and beyond.

The idea that we are all supposed to close all of our banking and credit accounts twice a year is beyond absurd -- especially since many of us have multiple accounts, run businesses and have more than enough to deal with already. Here's a novel idea: how about the financial and credit industry living up to their part of the consumer confidence equation and treat their customers like customers instead of like nuisances and criminals every time we report a problem that is not of our making.

Anybody else out there ever wish their lending institutions were as zealous about going after thieves as they are about nailing someone to the wall for mailing their payment in 6 hours later than they should have?

I really hope more people take you up on your challenge and write in to PC World with all of their real world examples of horror stories when their id was stolen, or their credit card info was hacked. My wife and I are fortunate to have a great bank, yet it still took us a week of repeated phone calls and e-mails to get a major retailer to do the right thing. They ADMITTED they KNEW it was a fraudulent purchase through a fraudulent account with our credit card and without our knowledge, they acknowledged this in writing -- TWICE, and then what did they do? They processed the order and mailed the shipment and charged our account so we had to fight to get our money back. Brilliant! The time we spent getting this squared away was time that we should have been spending making money. We will never get that time back, therefore we have lost money we can never hope to recoup.

So Boston, get off your high horse and pull your head out of whereever credit industry stiffs stick their heads when they can't stand the smell of their own bull. If the credit industry was without fault and treated its customers with the dignity and respect they deserve, people like me wouldn't be so ready to drag your sorry butts to court. Personally I can't wait to get that reluctant notice from the institution responsible for allowing someone NOT on our credit account to use our credit card to make purchases. I'm sure there are plenty of innocent victims out there who got shafted by the credit and banking industry between the time this system was hacked and when they finally admitted the fact to their customers. I bet they'd just love to have the opportunity to share their story, not only here in this forum, but in the forum of our legal system as well. Be careful what you wish for boston2boulder. You might just get it.

[aspicer]

Well what's scary about this is the public has no way of knowing what credit card transaction processing service a particular merchant or service provider uses. So even if we know this one has been hacked, we don't know if we could be affected. I personally monitor online all transactions to my cards. I get instant notifications by email of transactions, so I know when to contest something and I have done it.

What gets me as well about credit card processors is the holds they do on transactions. This feature is is there so that companies such as rental car can make sure that you don't run out of funds or credit balance on your card before the final transaction - which could be days or weeks later. But often this hold is not relevant. For example I've had gas stations do this and car wash businesses as well. There's no reason for these companies or their cc processors to hold funds for a week or so... when they (should) know full well that the final transaction was already cleared. I've had this happen as well when purchasing equipment or parts to re-sell in my business. Say $500 or $800 dollars gets held when I phone in the order, then later that day (often only a couple hours or a few hours later) the final transaction gets processed. But my debit card still shows minus the hold (same amount as the transaction) plus the transaction as well. And everyone thinks that I shouldn't be b' about this. But on a debit card to have DOUBLE an amount charged - $1600 instead of $800, or $1000 instead of $500 - is very bad. You get funds from a client to purchase gear on a quote... just enough to get the gear. Who wants to be out the amount DOUBLE for a week to 10 days? And what are the cc processors doing with that money? Is it another wool pulled over our eyes so that they can make Interest on the money for 7-10 days on lots of holds until they are released? They probably figure most credit card holds, versus debit card holders, would never notice this trick... and never say anything. After all it's just credit not real money right? Well what if you have a $2000 limit on your cc? And... you do several of these transactions over 7-10 days. There goes your credit limit to S. Not nice. I call to all cc processors to fix this problem. If you have no need to hold funds after a final transaction is done... then you need to be releasing these funds. I've called companies and cc processing companies both - fighting to get these double-charged holds released when there's no valid reason for them to be there.

[Fretless]

Wow. I'm thinking not only is Boston2Boulder an employee, but probably a member of the Executive Committee. Dude, you are bleeding brand loyalty. Someone call a doctor before this guy bleeds out.

[boston2boulder]

Obviously I am an employee. I am also a Magna cum Laude graduate in Business Finance and have run two companies with gross sales in excess of $80M. My employment does not stop my brain from working. On the contrary, it arms me with information you do not have.


I am sick and tired of tech savvy readers of PC magazines secretly cheering on hackers, and then complaining when they succeed.



Once again, please point me to the people who have specifically been harmed in this exploit. You may discover that the hackers have gained the very same information you gladly share during online purchases and in person when you hand your card over.



Heartland clients are PCI compliant, which means consumers are protected from merchants who do not responsibly manage client data.



Since you now know who I work for and a bit of what may qualify me to wade in with a comment, may I ask how you are qualified to critique this event?
Message was edited by: AuroraDizon removed excess text from wordpad.

[ww1065]

Instead of a nightmare story, I have a nightime success story. I have made some late night online purchases for goods overseas with my credit card and each time within five minutes the phone rang with the bank asking if I just made a purchase. I didn't recognize the number the second time and let it go to the answering machine (I get a bit put out with 11PM phone calls), and a minute later, my cell phone rang. I did recognize that number being the same that rang the house moments ago.

Now, that is one bank I do business with, the other bank never bothered with any purchases I have made.

I just hope that this will bite Heartland in the wallet; possibly with fines and loss of business (that will require those using them to put their customers first). There is no reason to have let things like this go that long unnoticed and I imagine they will be getting into it deeper and deeper as the investigation progresses. The credit card corporations themselves may just have something to say about this....

[boston2boulder]

I have a solution for you all. It is a new product. Revolutionary really. It is called cash. Grab a handful and cut your cards in half. You complain about companies that
hold funds, that is the company, not the acquiring bankers (Heartland and others.) You applaud getting calls for possible bogus purchases. Heartland makes those calls.


This is not an ethical failure. This is a crime against Heartland and consumers. I do not see one comment about the criminals who perpetrated this crime.



This is my last posting. I have clients who require my help in ordinary matters. We do show up, in person, to work with our clients.



Once again, when our compeitors are uncovered through investigation instead of honest foreclosure, I hop your high horses are in full gear.



Best of luck in 2009.

And don’t forget! Cash is King! Don’t leave home without it!
Message was edited by: AuroraDizon - edited out coding from wordpad.

[npc209]

Way to go boston2boulder!!!!!!!!!!!
I too am an employee of Heartland. What this idot does not say is that RBS was also perpetrated in the fall of 2008 but did not broadcast it. Also that Fifth Third Bank in Ohio was fined in 2007 for the TJMax issue, which was over 100 million card numbers. He needs to do more research before he picks on just one processor.

[nx1701]

I read PC World, boston2boulder, and I do NOT "secretly cheer on hackers" nor do I consider them to be heroes! And, you completely missed the articles point - Heartland is doing ONLY the bare minimum it needs to do in dealing with this problem. The author is NOT suggesting that Heartland notify "every person who uses a credit card", but rather every person whose personal data is in the Heartland network because their credit card transactions were processed through Heartland!

No one is debating that this was a crime against Heartland and against consumers. Why Heartland is being criticized is because they knew of this problem since fall of 2008 (and, possibly, since May, 2008!) and did not disclose this to anybody until Jan 20, 2009! And, to make matters worse, they only intend to notify potential victims ONLY in states that have data-loss disclosure laws, instead of EVERY potential victim in their network - how can you possibly defend THAT?!!

[cpfoutz79]

Boston...#1 you are obviously a salesman. The one thing I've learned about salesman is in their mind, everything their employer does is the best.
I work as a security expert for one of the largest credit card issuers in the world (I would name drop, but my employment agreement forbids it)...I know PCI because I used to audit our vendors. PCI, to some degree, is a joke. You have to do quarterly vulnerability scans, but 1) those scans aren't robust 2) they are oftentimes done by some fly by night shop setting up an automated server to do it, and that's just one example.
Secondly, and most importantly, your company is doing the BARE MINIMUM in notifying it's customers. Only the most shady companies follow the bare minimum anymore. For instance, I would leave a bank who makes me responsible for the first $50 in fraud to my card. It costs credit card companies millions of dollars to reissue cards because of your shoddy handling of data...step up and pay for it. Notify EVERYONE who's data was breached...that's what TJ Maxx did. Let them know they need to replace their card, and eat the cost, I believe that's what TJ Maxx did...I know I had multiple cards replaced b/c of that fiasco.
I want the hacker thrown in jail for good, and you need to step up and pay for the forensics to figure out who that person was.
I'm also curious to see what shoddy security practices your company was following, because I'm sure we'll find something. Maybe your company was paying your cousin to set up that cheesy server to do the vulnerability scans...regardless, I'm sure when that report comes out you'll have to walk away with your tail between your legs...every other large scale security breach has ended up that way.
Better brush up your resume buddy boy...you're going the way of CardSystems.
Yes, the criminal stole the data, but it is your responsibility to protect it.
And yes, my company, by in large, does take the protection of customer data seriously. Knock on wood, we haven't had any sizable loss of data in the NA arm.

[cpfoutz79]

By the way...while you say cash is king, you're much safer doing transactions via credit card than cash...

[boston2boulder]

I can defend that with the simple truth, which you elect not
to pay attention to. The breach was in the past, and its discovery is recent. Please read the previous posting by another
Heartland employee who lists other violation of data. The difference we keep trying to underline is
that we brought this to light voluntarily.
We did not sit on it. When we
knew it, you knew it. I get that you are
frustrated. I also get that you do not
know, or acknowledge, the whole story. You
know little about how funds and data flow.



Since other major providers were hacked in the past….and the
evidence is strong that others have simply not come forward, what is the
solution? Stealing this data is a serious
crime. Instead of crucifying the victim,
write your congress-person and demand swift and full investigation. Demand action and stiff penalties.



Once again…blame others…do not check your accounts…and in
the meantime…carry cash. Credit cards
are contractual agreements you signed. I
am assuming you never have made an online purchase, and happily offered your
account number, expiration date, CVV number, home address and phone
number. Guess what? If you send a 10 year old that info…they can
run your card. You took a risk in the name of convenience. Thieves stole data, and possibly money. Stop crying and stop using credit cards. They are a privilege…not a right. Carry cash… Problem solved. TJ Maxx lost 100
million number years ago. Did you stop
using cards then??? Did the Earth stop
turning? Did space aliens take over your
town? Get over yourself and grow
up.



Go back to your PC and allow me to wonder why on earth you
run the most hacked software in the World.
Oh, and by the way…Mac’s get hacked too…you just don’t talk about it.

[nx1701]

The simple truth, which YOU choose to ignore, is that a considerable period of time has elapsed in between fall, 2008 (the LATEST time that Heartland allegedly was aware of the breach) and Jan 20, 2009, when Heartland QUIETLY announced the breach! That does not sound like "bringing it to light voluntarily", it sounds like sitting on it and keeping it quiet until the last possible moment!!

To suggest, in 2009, that people stop using credit cards and start carrying cash is ludicrous, and it simply highlights how out of touch with reality you are! I am not defending the use of credit cards, nor am I saying using cash is bad. I am simply saying that using credit cards instead of carrying cash is the way of life in America (indeed, in much of the world!), and life, whether you like it or not, will NEVER go back to using cash over credit cards.

Heartland needs to step-up and do (and pay for!) whatever it takes to protect the personal information of the people whose credit card transactions were processed through their network - people whose personal info is now compromised due to their shoddy and inept security practices!

Oh, and by the way, please don't be another one of those idiots that bashes Windows as being insecure because it's the target of so many hackers and has so many security patches issued all the time - that's only because Windows is on every system worth hacking into! In other words, since Windows is THE most prevalent operating system in the world, it's only natural it's going to be the most exploited one!

[boston2boulder]

FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS FACTS



Heartland Payment Systems Uncovers
Malicious Software In Its Processing System

No merchant information or cardholder Social Security numbers compromised.

Princeton, NJ – January 20, 2009 – Payments processor Heartland Payment Systems has
learned it was the victim of a security breach within its processing system in 2008. Heartland
believes the intrusion is contained.

“We found evidence of an intrusion last week and immediately notified federal law enforcement
officials as well as the card brands,” said Robert H.B., Baldwin, Jr., Heartland’s president and
chief financial officer. “We understand that this incident may be the result of a widespread global
cyber fraud operation, and we are cooperating closely with the United States Secret Service and
Department of Justice.”

No merchant data or cardholder Social Security numbers, unencrypted personal identification
numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of
Heartland’s check management systems; Canadian, payroll, campus solutions or micropayments
operations; Give Something Back Network; or the recently acquired Network Services and
Chockstone processing platforms.

After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card
transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough
investigation into the matter. Last week, the investigation uncovered malicious software that
compromised data that crossed Heartland’s network.

Heartland immediately took a number of steps to further secure its systems. In addition,
Heartland will implement a next-generation program designed to flag network anomalies in realtime
and enable law enforcement to expeditiously apprehend cyber criminals.

Heartland has created a website – www.2008breach.com – to provide information about this
incident and advises cardholders to examine their monthly statements closely and report any
suspicious activity to their card issuers. Cardholders are not responsible for unauthorized
fraudulent charges made by third parties.

[nx1701]

What the hell does THAT prove?!! That is a press release BY Heartland - how do we know they're being honest?!!



Maybe Heartland should've ALREADY taken "those number of steps to further secure it's systems" they're now taking!

[boston2boulder]

Oh my God. You actually did not understand that the cash comment is a joke. Of course that is ludicrous. It was made to point out that this is the
state of affairs we live in. Many firms in our business have been hacked. The fact is that no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland’s check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

In other words…they got the information you give out freely on a daily basis. You do not know the facts, and have a lot of opinions. Nothing is more tiresome than that. Your Windows comment is also a bit out there, since the analogy would make a lot more sense if it reflected that
the credit card industry is … the target of so many hackers and has so many security patches issued all the time - that's only because the money in that worth hacking into! I need to send in a contract from a clinet who processes $1.2M and understands how this really works.
Thanks…

[mccartyseanm]

If you're concerned about Heartland, carry back-up cash, ask the merchant re: their card processor; if they refuse, or can't find out, pay cash and let them know that you won't be back. You can't change the world, but you also don't have to be sheep. As my hero, Ronald Reagan once said, "vote with your feet".

[nx1701]

Do you HONESTLY believe that some 17-year-old at Walmart is going to know who handles the credit card transactions for them?!! Get real!