Community Bankers Association of Illinois

Fraud Alert – Heartland Payment Systems Breach May Affect Community Banks!

Heartland Payment Systems, the sixth largest processor in the nation, reported on Tuesday that its processing system was breached in 2008, exposing an undetermined number of consumers to potential fraud. Heartland processes for approximately 250,000 small to mid-sized merchants and handles 100 million transactions per month.

According to VISA, hackers used malicious malware and sniffer software to intercept account numbers during a six-month period ending on or about November 13, 2008. They concede that cardholder names and account numbers were exposed. Track 1 and 2 magnetic stripe information, CVV code and encrypted PIN information were also captured.

As a result, VISA officials have indicated that the Account Data Compromise Recovery (ADCR) procedure may apply to this event. The ADCR process is used exclusively for magnetic-strip data compromise events. It provides two processes for issuing banks to partially recover losses. The first covers partial recovery of fraud losses and the second is partial recovery of operating expenses.

Please contact your card processor for information about the procedures for filing disputed counterfeit card transaction claims.

Although it will take months to complete the forensic investigation, industry experts speculate the breach will dwarf the TJ Max breach, which affected 40 million accountholders.

VISA has reported that CAMS alerts related to this event began appearing on Monday, January 19, 2009, and will likely continue for several weeks. The alerts identify accounts that have been compromised and are organized according to risk.

Recommended Steps to Reduce Fraud Losses:

1) Join a neural network.
2) Reduce the daily withdrawal limits on signature-based debit cards.
3) Review all CAMS and MC alerts and take appropriate action, including initiating VISA’s ADCR recovery procedure.
4) Notify customers if account information is stolen. It’s the law in Illinois. (IL Personal Information Protection Act)
5) Contact your processor and verify proper fraud reporting procedures.

Please visit the Fraud Resource Center at for archived alerts, best practices, and sample letters. If you have any questions, contact me at or 800/736-2224.


Mike Duke

  800.736.2224 (IL) | 217.529.2265  
  DISCLAIMER: The association is not responsible for and has no control over the subject matter, content, information, or graphics when viewing links attached to this association's site.