As any retailer going through a PCI audit, as we are, the biggest question that is asked of an auditor is why are the processors not required to encrypt. From POS, through all internal networks, data must be encrypted, but once it leaves it's last hop before heading out to the processor, we must de-crypt and send plain text.
When experiencing issues with a processor, we have even been faxed card numbers, 20 pages worth, from the processor to let us know 'here are the card numbers in question'.
The issue is definitely with the processor. As this trend grows, TJX will go down as the last merchant to be attacked. There simply aren't enough card numbers in a single retailer to attract a thief, only in the processors.

call me old fashion or outdated i don't care but the hell happened to good'ole paper money being used to take care of things. hummm alot less headaches were involved

If all of you believe it is the banks and the out-sourcing compoanies that will allow theft, or participate in it you are all mistaken. listen up folks: some time ago I had as IRA. I was nearing retirement age and decided to go online and view my account status. I saved thru my job with Metropolitan Life which eventually was sold to the Travellers Insurance, the umbrella folks. When I signed in using my own personal password I pulled up the information for an individual I did not know. I saw they had two accounts. And they had a lot of money saved towards retirement. I couldn't believe what I was looking at. I thought "ok, this is a fluke" so I signed out and signed in again. This was not a fluke but a major breach in security for that person and for me. So I changed screens to see if I could get into other info about this person, like SSN, age, dob, address, phone numbers, etc. And, yes, I did get into all of it. By the time I finished looking I realized I could transfer all of thie persons savings to my own account, have a check cut and delivered or do anything I wanted to do with her funds. But I didn;'t do any of that. Instead I called MetLife right away. Late Friday afternoon noone wanted to speak to me. I was told everybody had gone home already. I insisted ... Finally I told the person I was speaking to either you find someone to put on this phone now or this (I ecplained) would be on the news before midnight. Yes, they got someone on the phone whose first response was "You are mistaken, this is impossible - let me check thsi out, hold on" I waited, he came back saying Oh My God how did this happen. Well who knows how it happened. Who cares how it happened. It happened. You must know I went through a process of inquiries and suggestions. But at that point all I wanted was my money out of there and I had one DEMAND. That being: I wanted assurance the individuals whose info I had access to, not only be advised of same, but also notify me that she was advised. One thing for sure, I did not believe the company would tell their client the truth. I don't know if they ever did. But I do know they refused to give me my funds without me reaching proper age - even after such a breach, and they refused to drop the "early withdrawal deductions" Well, long and short of this is: the company, Metropolitan Life, did not do as I requested, did not provide any proof whatsoever that they informed their other client, and DID charge me the withdrawal fees when I reached the age of early withdrawal. Personally, they not only should have given me back all my money, but they should have paid out a lot more money to me for this major breach in their security. So, having said all this one thing is clear: Banks, processing companies, Retailers and all the rest will not do anything to protect anyone but themselves until we find a way to force them to do so. And I agree with all the people who said go back to using cash whenever or wherever you possibly can. You might even try COD, some internet companies will do COD. Devalue the use of bank cards, credit cards, and checks. Make these companies who handle our funds in any fashion earn the profits they make off of us. Because the bottom line is simple: We are the only ones paying. Everyone else is receiving. Oh, and if any of you think the story I jsut wrote is not true - I kept copies of what I found. I can prove this at any time. Let's hope I don't have too.

i just think that thair is nopoint about the bailing out the banks how about helping the people that have the money in the banks in the first place

This is fairly simple to protect against. Literally, I change my card numbers about every 6 months and have requested new cards immediately following Christmas for about the last 3 years.

When the CC company issues you a new card, you still keep the same number. You need to ask the CC company to issue a new card number. It's a 5 minute call and only takes a few days to get the card. Small price to pay to ensure that my card numbers aren't floating out in the wild.

NEVER hesitate to change card numbers.

Please, the problem of ID theft is not simply that someone can take your credit or debit card information and spend your money. The real problem, the one that's not going away, is that your information and mine is already in multiple databases...even if you've never owned a credit card. Do you drive? Own or rent a house? Did you go to school? Get married? Apply for a job? Receive any entitlement benefits? All of these, and more, have multiple and frequently independent databases. We are at risk, not simply because we have credit cards, but because we were born.

If you have truly lousy credit, don't think you are safe. The real problem of identity theft is not someone stealing financial information. The real problem is when someone BECOMES you. If you are stopped for a minor traffic violation and wind up going to jail for "failure to appear" for the DUI you received in a state you've never visited, a low credit score has not protected you from ID theft. Credit card fraud, in all its forms, is just the tip of the iceberg.

just a couple points:

Hoosier bank wrote:

"When someone's credit/debit card number is stolen and then is used to make a counterfeit card, the fraudulent transactions are almost always paid by the issuing bank, not the consumer and not the credit card processor that was hacked into. The issuing bank loses"

WRONG:

Fraud purchases are charged back to the merchant who accepted the card - the merchants loses not the CC companies or the banks.

We all pay for fraud when the CC companies and processors increase the discount rate merchants pay on each transaction The merchant will build into their pricing an increase to cover those costs. So in end WE THE CONSUMER will pay.

As a small retail business I have watched my CC processing % and fees increase yearly. We already have strict encryption regulations we follow.

Cash is king for me. and that doesn't mean a debit card.

Ever use a credit card to pay for groceries in a grocery store? Then as if magic you start receiving magazines that pertain to some stuff you purchased at the grocers. Well Dah!! The grocers are selling your credit card information to magazines. How else to the magazine companies know where to mail them to. The magazines are targeted to what you buy. Now the magazines have your personal information and they sell it who knows who. There is no way for your credit card information to be kept secret until we make it illegal for companies to sell personal data. If it is illegal, then no one is enforcing it. And it's not just grocers. It's any company you've purchased from using a credit card. Think about it. You might wonder how I know this to be true. I never used to get magazine offers in the mail. One day I purchased items in a grocery store and didn't have enough cash with me at the time. I decided to use my credit card. Within two weeks time I was getting magazine offers in the mail that dealt with items I had purchased at the grocers. It was no coincidence. The grocers will tell you they don't sell personal information. Well guess what people, they are lying through their teeth.

National ID ?
You need a Rabbi.
BCM5892/5893

To Roger from Cincinnati Ohio...

I made the same statement years ago. This is what I believe as well.

I really fear that the next terrorist attack will be in the form of a financial nightmare.

I am also a computer programmer of 30 years, and I just read an article that claims that 90% of the worlds FINANCIAL sytems were written in COBOL!!! Does anyone here even know what that is? Its an archaic language from the 70's designed for Mainframe computers.

The months before the Y2K, I knew people getting paid $185 an HOUR to fix some of this old COBOL code. Planes didn't fall out of the sky, but THEY don't use COBOL.

Scary to think that our money is STILL being processed by programs where the programmer has probably retired by now.

Read the article about the White House's technology? They are using Atari's while we citizens are using X-Box's and PS/3's! I've worked in many government offices and trust me, they do NOT want you to change their programs! I knew a lot of workers that simply remembered the menu #'s to type in all day long to do their jobs... i.e. 1, ENTER, 5, ENTER, 3, ENTER, and so on. So, if we changed the menu #'s, they could be DELETING instead of ADDING, or whatever.

When it comes to computers, MOST people abhor CHANGE... and ironically we elected a president that promotes CHANGE! I hope he can make some changes in goverment. Upgrade their Windows 95 computers to Windows 98 would be a good start, however, I don't want to pay for it with MY taxes!

The comment about Heartland outsourcing computer code may be be true, this is indeed a separate issue. Malware, which is what is being reported as the culprit and most likely has infected one, two, or many computers on their internal system... or even entered the system from an infected laptop someone is using to access the VPN. The malware used to gain adminstrative access through possibly username and password, undoubtably was undetectable kernel level keylogging. WORSE, if this was perpetrated by a crime ring, most likely they are using polymorphic keyloggers which means, it can change its "signature" every hour... or, it can make a copy of itself and forenics may find an orginial and think they've removed it. Translation... it is HIGHLY likely they will never be able to find it or its varients.

The bad guys are WAY smarter than the good guys. There are over 12,000 keyloggers in daily distribution. Major anti-virus companies spend months, even years trying to rid the Internet of one of them... and most of them resurface and cannot be removed by ANY of the anti-virus programs on the market. Removal has to happen manually through your computer's registry. But forget it if your computer is infected with a polymorphic keylogger. Don't believe me... do your research and see what industry experts say (try the "Secunia Report")about how effective anti-virus programs are.

Alvis Jenkins must have been the "tax adviser" to Wesley Snipes.

Hackers of all ages (5 years and up) should be given mandatory prison of not less than 20 years without chance of parole

Card Information Replacement Technology(CIRT) exists today that will allow electronic exchange of value without the actual cardholder data ever entering the Point-of-Sale system. None of the existing payment infrastructure needs to be changed and transactions will flow as they always have. These technologies are called Tokenization, 4Go and i4Go. With no cardholder data being stored, processed or transmitted, there is nothing to steal and the whole problem of cardholder data theft and loss can potentially be eliminated. Free white paper "Tokenization in depth" is available at www.shift4.com

The ultimate solution to ID theft is not to play their ridiculous game of "credit report" in the first place. Go ahead and try to steal my identity, my 'credit' is so bad that nobody can steal it! been that way for years and it's not been a problem for me....i dropped out of the game and love it.

If you think the majority of these hackers are foreigners...you're grossly uninformed. These people are home grown!

End-to-End Encryption from the POS Device to the issuer would indeed prevent hackers from sniffing packets (if implemented properly), just as has been done for years with encrypted ATM PINs. There's a reason why the hackers can't easily get their hands on ATM PINs - they are encrypted end-to-end.

What have you all been smoking? Silverado screwed the people of Calf, and devised a system to move the market, utilities, then went bankrupt. The big brokerage houses hired those who did the deed for the information on how to do it again only this time it was gas and oil, no one has changed anything except to give those SOB's more money, so why do you think anyone is going to do anything, except learn how to do it, only now its data, your data, no one will come to you aid except you, frankly I do not care, and in reality neither do you, except to run your mouth. Do somthing, as long as it does not cost me anything! Sound familiar?

Maybe it's our own Gov. Getting back the money they use for the stimulas package for the banks.

I have a good idea. Let's all go back to the barter system and eliminate the use of money. No, that would not be a good choice. Well, maybe we all could make a greater effort to become educated about the law of finance and taxes. After all, everything is about money. Which brings up another good subject, money. What is money? Is our currency real money? No, it is not real money but it is money for the most part because you need it for whatever reason. When you work all week and it comes time for payday, how much of it is yours? Answer: all of it! But wait, your employer takes out for taxes. Taxes? Who says? This is where most Americans have no clue. Are you giving away your hard earned money to someone that has no mandatory law requiring so? Folks it's all about knowing the laws of the land. Ignorance will deprive you of what is actually yours. You will be the very ones to pay for the bailouts because you know nothing about government and the role you have not played in understanding what your duty is as a citizen to keep the government in check. April 15th will be the usual deadline for the payment of the Federal income tax, that is, if you are federally employed. Knowledge is power!

ever talked to a CS rep in India, Philippines, China, etc?

Then you'll know why!

If they understand what you say, then they miss the concept!

Need much higher prison terms for internet/credit crooks!

I am also a victim. There have been fraudulent charges to my account from Amazon EU and another audio book co. in the Netherlands. I am not very knowledgeable about this things and if possible would like to have an explanation. It would seem to me that no harm has been done until a charge is made for goods, services or a transfer of money. if there has been a transaction it would seem to me that the receiver should be traceable. Is this not the case?

Why not just send a well placed bunker busting bomb to the physical location of the IP address? That might hold tehm off for a while!

As usual, the common person has to suffer because of banking greed. I was recently victimized by debit card fraud, and the bank will only tell you to be more careful. How? They can't even tell you how their own systems were corrupted. If they want our money, then maybe they need to protect us more.

How about we switch to cash whenever it is possible. I know in this society it is not feasible to go 100% cash, but if we switch say 25% of our purchases to cash and loudly proclaim everywhere that it is because of security concerns then the banks and credit companies will take notice when 25% of their major profit cash cow (irony intended) disappears. It will also help reduce some of our careless spending as almost every study has shown and will help the small retailers as well, since they won't have to pay for a credi transaction.

Reality is as such;we are only "sheep" in a world of high ranking wolves. One would just like to believe different. We are told what we need to know by way of the media. The print comes from the gov't and channeled out into society. And "news" is structured to dispress and puts fear in society; *and it usually does. Step out of the picture to understand the angle. "He walks amongst us and he always comes with a handshake and a smile"and now he offers convenience otherwise "We'd" be able to identify him. Technology has contributed to societies laziness and will ultimately be or has been ones convenient "DEMISE"

InTheKnow (1st comment): You may want to check your sources before making inaccurate comments. Heartland does not outsource their computer coding overseas, they do it all in house. FirstData outsources their computer coding, but Heartland does not.

It is an insider you Heartland idiots. No "script kiddie" is inserting sophisticated packet sniffers that are recording and transmitting card numbers, expiry, and CV values. That kind of crap is done by an insider placed at your company for that sole purpose. You clowns did have all the PIN's in an Xcrypt hardware encryption box didn't you?

Bankers.... idiots at technology, idiots at managing money, they need to all re-train as janitors.

We now know that the US government has been data-mining precisely this type of information, and correlating it with our telephone records and who knows what else, as part of a misguided "war on terror." Given how they've done things the past 8 years, I assume this task is outsourced to private contractors based on political connections. Are the banks and payment processors sure that whatever method the government is using to siphon off that data for itself isn't also being exploited by hackers? Isn't it possible that the government siphon-stream itself may be the source of the leaks?

I am a retailer & pay extra for rewards cards & would like to know why credit card companies are not reimbursing us for rewards not used. they make it hard for their customers to collect the rewards, which they don't tell them we are paying for in higher discount rates for rewards cards. Isn't this some kind of fraud? and why are they able to charge us extra for one kind of card over another? or wouldn't it be nice if they told their customers that we, not they are paying for the rewards. suggestions would be helpful. thanks for airing this.

If you put a computer on the internet, it can be hacked.

Nothing anyone does and no matter how many walls you put it, they will get around it if they really want to.

They will keep the kids out, like anyone you have met that self proclaims themself a hacker, but it will never keep out the professionals.

What the !@#$ have we been thinking? Our system of cash money, which is, thank God, NOT private, has extremely tight controls at mints, has solid counterfeit protection (at least recently), and is well protected in transit. We also don't usually carry life devastating amounts of cash around with us. If we have our wallets stolen its very unlikely its the cash we're most worried about. Its that damn plastic, because its loss CAN have life devastating impact.
And yet we allow this far larger portion of our economy to function Helter Skelter in private hands, with a goal that is solely to maximize profit and with a level of responsibility in their work that seems to run from inadequate to shockingly derelict, with no enforceable standards along their chains of activity and obviously far too little regulation. And the penalties for crime in this area, as seems typical for economic crime in general, do not come even close to the damage that may result from such crime.
Are we nuts? Forget this private nonsense! Our plastic (electronic) transactions should be forced to the same standards and rigid controls as we insist on for cash, and penalties for serious economic crime should range to the truly severe, including capital. We need, in effect, a FEDERALLY controlled "mint" for electronic financial activity. This sector was created privately, and has grown huge privately, with too little by far in the way of regulatory controls or standards creation and enforcement, or suitable criminal penalties and consumer protection. We now even have these folks trying to charge us protection money to "protect" us from the mess their own systems have created!
The time for this has clearly passed. We now need a federal mint system for electronic money, clearly NOT something that is in profit driven hands with little in the way of standards. Such a system could even be structured to work across international boundaries: electronic money, tagged with an originating country's cash money moniker, would allow losses due to another country's lack of responsible control to be charged solely against that country's currency.

I am intrigued that so many people want the "government" to fix this problem. That will cost money. I wonder if these are the same people who want to pay less in taxes. All of a sudden, big government isn't so bad when we want the government to protect us from the excesses and the negligence of the free enterprise system.

For those of you who said back to check writing.... Do you think that the electronic bank routing number and account number on the bottom of your checks are there for a human to read??

Most large retailers use electronic check processing and verification systems.

Also the financial sector is just the start... as we see our medical records become electronic.

Heck, Google yourself.... For $29.99 I can get your address, phone number, the names and addresses of your relatives, your SS#, your driving records, your credit report, your criminal records, your divorce records, find out if you have ever filed bankruptcy, find your lien holders.....etc....

I think putting that much personal info on the world wide web should be illegal.... heck selling your info to anyone that wants to pay for it should be illegal....

I've been working with computers for 30 years. None of you are safe.

Personally, cash used to be king, but the powers that be want you to use credit cards these days because its easier to track YOU and your trends so that they can predict what you will spend your money on and market it to the 'slot' you fit in.

When you go to a bank to withdraw YOUR cash, when you step out the the door with YOUR money, know what? No one EVER will know what you did with YOUR cash. Know what else? Neither will the hackers.

Think about that. Yes, we live in a modern society and culture. But what exactly does that have to do with the CHOICES we make? Because here, thats what we all are doing.

We CHOOSE to use Credit Cards and Debit Cards, knowing full well that there have been security breaches in the past.

Whats the answer here? I don't really know. But I do know that Cash is STILL king.

And if they (The banks and transaction companies) can't be bothered to protect our cash, and wait untill the public at large is too distracted by other events to fess up about these sorts of things, but have no inkling to ruin our credit when it suits them, then it seems to me that (like a lot of things) that the consumer is on their own.

Maybe the answer here is to tell the banks that we are going take all your money out of their banks because we don't feel safe with them? Seems to me that if they get the message that we feel that our money is not safe there, they might take steps to make it more safe.

But thats just my two cents....

For those of you who said back to check writing.... Do you think that the electronic bank routing number and account number on the bottom of your checks are there for a human to read??

Most large retailers use electronic check processing and verification systems.

Also the financial sector is just the start... as we see our medical records become electronic.

Heck, Google yourself.... For $29.99 I can get your address, phone number, the names and addresses of your relatives, your SS#, your driving records, your credit report, your criminal records, your divorce records, find out if you have ever filed bankruptcy, find your lien holders.....etc....

I think putting that much personal info on the world wide web should be illegal.... heck selling your info to anyone that wants to pay for it should be illegal....

Every penny the banks have to pay out to cover ID theft (like the $1000 they had to pay me back from my cracked credit card) is money not going into the CEO benefit package. The silver lining in all this is that some smart crackers have figured out how to steal from the rich! Serves them right for running Windows 3.1 at the teller stations IN 2006!!! Also be aware the cracker that I tracked to a specific IP address got away with it because the bank, the company that processed the $1000 order and my local FBI office all said they don't have the time, inclination or resources to do anything about it, even after I did the tracking for them and supplied them the information required to prosecute.

I love when someone who thinks the cd player is a cup holder has all the answers. You can't stop a virus until it has been spread. There are thousands of ways to change one virus that it is impossible to stop them all before they take hold. You can make it hard, but you can't make it stop as long as clear data is being transmitted. This is one place the government could step in and create a standard for all to comply to. It would be pricy up front but in the long run would be benifical. Maybe an Encryption bailout is in order.

This is a big business handled by powered people with influences, Bankers and politics are involved in this billionare Business, since they don't care......I don't want to tell you how it works.... open your mind.

Sounds like some of our citizens are waking up. So when does the revolutionary war start, where we the people take back our country back, protect the lives of ALL, and bring back honesty and trust?

What the !@#$ have we been thinking? Our system of cash money, which is, thank God, NOT private, has extremely tight controls at mints, has solid counterfeit protection (at least recently), and is well protected in transit. We also don't usually carry life devastating amounts of cash around with us. If we have our wallets stolen its very unlikely its the cash we're most worried about. Its that damn plastic, because its loss CAN have life devastating impact.
And yet we allow this far larger portion of our economy to function Helter Skelter in private hands, with a goal that is solely to maximize profit and with a level of responsibility in their work that seems to run from inadequate to shockingly derelict, with no enforceable standards along their chains of activity and obviously far too little regulation. And the penalties for crime in this area, as seems typical for economic crime in general, do not come even close to the damage that may result from such crime.
Are we nuts? Forget this private nonsense! Our plastic (electronic) transactions should be forced to the same standards and rigid controls as we insist on for cash, and penalties for serious economic crime should range to the truly severe, including capital. We need, in effect, a FEDERALLY controlled "mint" for electronic financial activity. This sector was created privately, and has grown huge privately, with too little by far in the way of regulatory controls or standards creation and enforcement, or suitable criminal penalties and consumer protection. We now even have these folks trying to charge us protection money to "protect" us from the mess their own systems have created!
The time for this has clearly passed. We now need a federal mint system for electronic money, clearly NOT something that is in profit driven hands with little in the way of standards. Such a system could even be structured to work across international boundaries: electronic money, tagged with an originating country's cash money moniker, would allow losses due to another country's lack of responsible control to be charged solely against that country's currency.

I work in the industry, and this has obviously become a huge problem. The cause of these problems though, do not solely rest on the processors. These latest processors to be hacked met the compliance standards that are required by Visa, MasterCard, and our government. Most processors want superior security than what is required now, but the government will not allow it. The government wants to have access to this information whenever they need to, and superior security with higher encryption would make it more difficult for them to do so. This is why many European banks do not want to do business with us...because the security our processors are required to have is a joke compared to what they have.
So, instead of spending the extra money on better security so that things like this don't happen...it's just easier for them to keep everything the same, and put all of the credit card holders in the U.S. at risk. It's sad.

I THINK HEARTLAND AND ANY OTHER COMPANIES LIKE THAT SHOULD NOTIFY THE COMPANIES THEY WORK FOR AND THOSE COMPANIES SHOULD NOTIFY THEIR CUSTOMERS. WE SHOULD BE NOTIFIED BY SOMEONE DON'T YOU THINK??? FORGOT TO ADD THIS TO PREVIOUS COMMENT, THANKS

After reading a comment about using paper checks again to avoid this kind of trouble - think again. Most companies that accept checks do so by scanning the checks through a reader to verify that you have the money - basicly the same thing that they do for credit cards. Only with checks, your bank account # and routing # are vulnerable! Just bad world out there folks...

We need laws in place and enforce those laws to handle these hacker scum bags. This is serious business and not a game. They are thieves and handle like you would with someone who commits armed robbery. Lock them away for many years in prison or with no access to a computer. After a couple of convictions get rid of them.

I'd really like to hear about what's being done to investigate, capture and prosecute these criminals that are breaking and entering secured areas. Electronic or Physical theft is theft and were not talking small change. I've had computer infections that pop up when shopping online and ask for very personal information such as SS# pin# and bank account #'s... Who do you call when someone attempts to rob you? 911? Seriously! Why is there no where to turn when an obvious crime is being committed? Maybe some of this is a foreign invasion? No matter how you see it, there should be some way of combating the perpetrators as well as protecting ourselves against such theft and invasion of privacy for Mal-intentions. Just a thought,

More greedy jerks who put your security at the
bottom of the list.

If anything, these hackers have shown us the truth: our data isn't safe. We can build massive networks, but we fall short of securing them and then blame the costs involved in securing them. Even after all of the major incidents, we're no closer to having secure systems and networks today than we were back then.

I USED MY BANK DEBIT CARD AT A FAST FOOD PLACE HERE IN MARYLAND AND THAT SAME EVENING MY BANK CALLED ME TO SEE IF I HAD USED MY CARD AT WALMART IN INDIANA AND ALSO ANOTHER COMPANY IN ANOTHER STATE, WHICH I HAD NOT OR AUTHORIZED. THANK GOD I DON'T MAKE LOTS OF MONEY EACH WEEK OR I'D BE REALLY SCREWED. AFTER ABOUT 3 WEEKS OF MY BANK INVESTIGATING MY FRAUD PROBLEM, THEY CREDITED BACK MY ACCOUNT FOR THE FUNDS AND NSF FEES ALSO. I LEARNED MY LESSON THE HARD WAY. I DON'T USE MY CARD ANYWHERE BUT AT MY BANKS ATM MACHINE. I HAVE NEVER PUT ANY CREDIT CARD INFO ON THE COMPUTER AND NEVER WILL. I KNOW ALOT OF PEOPLE WHO PAY THEIR BILLS ON LINE, BUT NOT ME, I'LL KEEP MY CHECKS AND PLENTY OF STAMPS.

omg - more thieves - is there no honesty in our lives anymore. everyday it is someone or something else out there to destroy a life or lives. when do we start practicing "an eye for an eye" concept so all thieves (no matter what color the "collar") is put on notice that we "aint going to take it anymore".

I work for a processing company mentioned in this article and I know that my company has made every effort to protect our client and merchant accounts.
Lots of small business owners do not want to spend the extra money up front to buy the newest credit card terminals, this puts the business at risk. They also choose to bypass the prompts that protect them from fraud, also putting them at risk. The cost of the new compliant terminals is higher so to save money I've heard of merchants buying their terminals on eBay or from other sources. To make sure everone's business is protected everyone needs to be compliant, merchants and processors.

I keep writing congress to do the following

1.) Each processing company should have to carry $25 million in liability coverage for hacking.

2.) They should be audited by a security firm yearly to verify encryption and security compliance.

3.) Users should be notified within 7 days of a breach of their information.

I am a victim of Heartland's negligence and total disregard to break the news in a timely matter. I noticed a bunch of unauthorized charges on my account and had to notify my bank. A representative with the bank told me they were aware of this situation because I wasn't their only customer who had this problem. She told me that she really wasn't supposed to disclose any specifics at this time but she told me what had happened. She also said that they were notified by their insurance company and that is how they knew. I chose to investigate this matter on my own and I found out that my account information was leaked by Heartland Payment Systems. The bank took care of my situation and will issue me a new card which has caused me a lot of undue burden thanks to Heartland's negligence. Heartland needs to be held responsible and I also feel that they are withholding more information that should be made public because they already tried to cover it up by breaking their press release on Inauguration Day in hopes of this story being buried.

When someone's credit/debit card number is stolen and then is used to make a counterfeit card, the fraudulent transactions are almost always paid by the issueing bank, not the consumer and not the credit card processor that was hacked into. The issueing bank loses. If anyone has had to pay for transactions that were not theirs they are using the wrong bank for their credit card. Find one that upholds the zero liability rule. As far as people who are victims of identity theft that is a whole different can of worms.

Yes, I too was scammed to the tune of $600.00 and when I contacted the intermediary which collects these funds for many businesses I was told the could not tell me who had taken my money.
It's time to get this problem solved. The human race managed to go to the moon, did they not?

If it be a home PC receiving spam or a Banking System, why are the unauthorized two way tranmission "NOT" being blocked. If each user has a code, then how is access on the return side not allowed to send a "BOMB" to destroy the computer system of those causing mischief?

These issues are not of money. The are the lack of profession standards for the industry to police their systems. Spam should be stop before it gets to my computer. Mischief should be blocked by automated time changing authorization codes. When a transmission does not have proper in-house identification to transmit, it should be immediately stopped. What is so expensive about that kind of filter?

There are the means. There is the ability. Just those in charge drag their feet to install a simple cure. Those who work to make the computers work are paid the same if the install the filters or don't. It can be said then that cost are not the real limiting factor to correct the problem. It is time to put the bean counters myths aside and become pro active to the situation and do something.

Postle

Dave B. is almost right, cut up all but two of your cards and use those only when absolutely necessary. Go back to 'cash and carry'. It will also help you to watch your budget. I take out what I believe I will need for a week's spending (not including monthly costs like utilities, rent, insurance). Living on a tight budget is tough, but you don't have the shadows of debt and doubt over your head. Too many crooks out there gunning for your money.

Seems to me we sell first and think last. When the government steals our money its called , "reappropriating" and "taxes", when the bank steals they call it, "interest" and "service fees", and when the HACKER does it "WE THE PEOPLE PAY FOR IT JUST LIKE THE GOVERNMENT, BANKS, AND EVERYTHING ELSE!!! We have become a world of liars and scammers. There is so much BULLSHIT out there floating around in the ETHERNET that not even the so-called experts know what to believe. SO FIX THE BULLSHIT AND THE REST WILL FIX ITSELF!!!

cracks me up, some guy blaming bush yet again,a nd probably for another 8 yrs. yes, he's getting a cut from the thieves, moron. thank god we have god, I mean obama now. one wave of His staff and all will be well. seriously, the long time to react concerns me here

I just had my debit card information stolen last week. I called my bank, they told me to contact the merchant myself. So lets see....the merchant steals my money so somebody in India told me to call the merchant and give the merchant more personal information and that the charges were my responsibility. I don't think so. Monday I called my bank again and requested to speak to a supervisor, a person in the good old US of A. The charges were not my responsibility afterall and there is no reason for me to contact the merchant. I chopped my debit card. I am waiting for a new one to be issued and honestly, I will probably never use. I am in the middle of paying off all my credit cards and it's CASH from now on.

We need to institute a mandatory law - immediately - that holds post-facto. All stops pulled in tracking this guys down. To include no trial at the end. We treat them like terrorists - except we torture and kill them (and not anything wimpy like waterboarding ... stuff that makes them scream and wish they would die).

Encryption is not the answer. Encryption only protects data that is in transit between two servers. Once received by a server, the data must be decrypted in order for it to be useful. If the virus/malware is installed on a server, which I believe it was in this case, then no amount of encryption will solve the problem. If Heartland had adequate physical security, and adequate firewalls (which they probably did), then this had to be an inside job. No amount of software, encryption, firewalls can prevent an inside job from occurring. This is really no different from a bank employee embezelling funds from customer accounts - it's just more high tech in approach.

Typical corporate thinking: Do it quick and cheap to keep the bottom-line down and the margin fat and we'll deal with the consequences only if we have no choice.

Science can encrypt, and science can decrypt. nothing will ever be truly safe when its in the electornic media. go back to cash or live with the possibility that you will be robbed. at least you wont have a gun stuck in your face :P

I think terrorists are collecting this data to attack our financial system all at once in the near future.

1986-Crooks intercepted my new card, spent $15,000.
1993-Crooks stole blank credit card checks from my mail-Spent $6,000. Same thing with my ex-wife-$5,000.
1997-Crooks opened a new joint card with my name and info-$4,500.
2008-Crooks used my card info-a card I never use-Spent $5,000.

Never cost me a dime, but can you imagine how much theft money is absorbed by the CC companies?

Yes, it is a scary situation. How vunerable we are to an attack on our financial security. But if you want to be frightened even more, go back and watch the movie, "War Games" again. It does not seem so farfetched any more.

All very interesting . . .so what do we do with the parasitic criminals when they're caught. DUH,. . . Personally, I applaud China for their attitude toward indiviuals that ruin the lives of others. If we still had b-lls in this country, we'd do the same.

Until identity theft becomes the problem of the banks that issue the credit this will continue to be an issue. No return on investment for safe transactions means it will never happen as these people will never be able to punish this company for it's lack of proper and secure business procedures. The only thing thsy have done is turn this into a profit center (Protect your credit services) which are really traps. The whole thing is just another instance of Business buying our country.

Just do what I do...PAY CASH!!!
Why have we as a society forgotten how to do this? Is it truly so difficult???? Is it such a sin to actually cash your paycheck, deposit whats needed and take actual "cold hard cash" home with you?
Please people..FIGHT the pressure to get to a "cashless" world!!! It would help keep many out of credit problems...if you dont have the cash in hand..you cant buy it!!!!!!
All I can say is it works for me!

It starts at the foundation of software design ppl. I design/code/support financial server software that has been in production for 12 years now. 100% uptime and security is the first consideration. Message level encryption is the answer, not communication layer encryption. SSL is a joke if you know how it works....

In a press release Heartland said that their system worked and that NO MERCHANT DATA or CARDHOLDER DATA WAS COMPROMISED and that they are working with authorities to track down the guilty parties

It is the banks that take the financial blow for fraudulant charges. The merchants are protected by visa mastercard because they got a signature, it does not have to match the name on the card, or it is below the floor limit for a signature, the largest fraud is at pay at the pump. When a cardholder signs the forms for fraud transactions the bank has to take the lose, not the merchant. The processors and the merchants need to be held responsable for data breaches of thier systems. If just one had to pay for all the fraud from one of thier data breaches, there would not be anymore after that. hold them responsable.

Reply to InTheKnow:
Its the harware you dummy not coding.

Heartland's practice of outsourcing computer code
THAT'S THT TURTH. Know you Now'"overseas because of quick turn around times has come back to bite them. The code is sloppy, error prone, and doesn't have basic error checking imbedded. In other words, they got what they paid for, but now we are paying the real price!"

Im sick of hearing about banks failing to be held acountable lets send them packing and sue them for negligence !!!

Once you get behind the firewall on a network you are in if reasonable computer literate. Make no mistakes about that.Regarding packet sniffers, good ones out there and if the data is not encrypted your 10 year old kid can read the information being displayed. It takes about 2hrs max to be reasonably proficent with a software packet sniffer.

If our government can find terrorist and criminals, why don't they look in their own backyard???

If we have the technology to steal then we have the technology to stop the stealing. This is a problem that can be fixed but isn't being fixed. My question is why isn't it being fixed. There is always a reason and when it's big like this it's usually about money. So if gov't won't help us we need to help ourselves by not participating as other comments have stated.

maybe we could punish those nasty mean ol, guys who steal our money this way, but OH NO LORD DONT HURT ANYONE, lets just try to talk to them and maybe give them counseling to see if we can help thise complusive disorder to steal every one elses money and not have to work, but that would be sitting a bad idea for our kids, BULL< SH__ do like other damn countrys, u steal, cut off thier damn hands so they cant type anymore, next time if they get a buddy to do their typing lets put them behind bars some place for the duration of their jail sentence, not a year or so, but wait Obama is going to do away with all harsh treatment of bad guys, no help there, better just start using cash, walk or drive to your bank if u can still recall how and cash your pay check, go around getting money orders or go up to some place u owe and actully pay them in cash, to busy to bad, wait around watching and hoping your checking account isent hacked into, problem now days is EVERYONE of you is to damn lazy to get out and take care of business like u should

In the end only the people who post these comments are the people who read them. Those with authority and the power to make change to benefit the public are spending BAIL OUT MONEY on an island getting spa treatments. It will always be that way; you're on your own.

.....and George Bush said last one to raid the the american people (again) before we leave office is a rotten egg!!!! The only people who have the skills or the know how to achieve such thievery would come from the inside and would definitely need help as well as connections...why because to seize recorded data of any kind there is always a few tries before you get through and that creates a trace! Somebody needs to check the Servers for Domestic and Foeriegn Transactions that occurred within a 48hour period before and after the incident. The trace is there question is why hasn't any one found it.

Security at its Finest

When they find these people, they should give them a little Chinese justice. Ditto for the drug dealers and all who commit serious crime.

Right back at you Dave, Ontario. I agree with you. We need to stop buying w/credit, using debit cards and other forms of tecnology to do transactions because we need to look out for ourselves because the gov't and the big tech companies are not. Like others have said it doesn't cost the gov't or the big companies much if your financial info is lost however it can cost the average joe everything they have--many people spend years and money to correct the fraud and abuse if there personal and financial information is obtained and used. Haven't we learned anything within the past few years!!!

I am one of the victims. I have been notified, by my bank, that between May 2008 & November 2008 my debit card information may have been compromised This is scary, as I am the sole bread winner for my family. The bank has taken the steps to close my debit card & reissue me a new one. I am almost tempted to go back to writing paper checks.

I am in the industry as well and while Heartland was cheap and lazy not all of us are such. We also have to blame some of the merchants who take cards from us. Last week one of our customers admitted to me that he has lied while undergoing a security audit. We of course closed him down, but someone else will let him onto the system.

i say they should be up for the death penalty.
they destroy lives.

Right back at you Dave, Ontario. I agree with you. We need to stop buying w/credit, using debit cards and other forms of tecnology to do transactions because we need to look out for ourselves because the gov't and the big tech companies are not. Like others have said it doesn't cost the gov't or the big companies much if your financial info is lost however it can cost the average joe everything they have--many people spend years and money to correct the fraud and abuse if there personal and financial information is obtained and used. Haven't we learned anything within the past few years!!!

If we have the technology to steal then we have the technology to stop the stealing. This is a problem that can be fixed but isn't being fixed. My question is why isn't it being fixed. There is always a reason and when it's big like this it's usually about money. So if gov't won't help us we need to help ourselves by not participating as other comments have stated.

Thieves are ALWAYS finding ways to get out of getting REAL jobs, and earning their own damn money; it makes me SICK hearing about this crap! They are so gifted at being able to "hack" into all of this sensitive data, why dont they go and work for our government ....and try to HELP keep people out of our personal business? And I'd lay MONEY on it that these CRIMINALS are from another country where the laws are not as strict as they are in America!

Once again our banks and their vendors are risking consumers for the protection of their profits. We need the government to force the banks to protect us. They'll never do anything so costly on a voluntary basis. Maybe this should be tied in with the outrageous bailout $'s they're getting. I call on President Obama & Congress to get this done ASAP.

My partner and I had to choose between the risk of using credit/VISA check cards or carrying cash. We're carrying cash.

We've stopped using ATMs; our credit union's machines were hacked about two months ago. We only found out about the breach when trying to withdraw cash at the hospital. When we called, we were told another card (and PIN) was already in the mail. Hmmm.

We have found that we are spending far less now that we've switched to cash. Soooo, the criminal masterminds (street and corporate level) are actually doing us a favor by being greedy.

Being able to establish and keep good credit is suppose to be a good thing for people but if our security is always going to be in jeopardy what is the sense of having it. We go through life hoping and praying that we can all get ahead but with all the breachs and incompetent people in the world what good is security????? If our government and the task forces that are being paid with OUR money cannot watch our backs and are not trustworthy what is this world coming to. The best thing to do for all is to just go back to cash and carry.

fyi please don't use all caps in your response its considered shouting and very rude when online. just so you know. your response however to this thread was appreciated. thanks

that's where the data ARE, not IS

Hackers, thieves, fraudulent transactions have been the tag-line for the Banks and Brokerage houses for a long time. Now WE, the taxpayer, have given them $700 Billion dollars to shore up their failing businesses. Our hacker losses don't mean a thing to them. We are paying twice for the same non-protection we will have for a long, long time.

re the point on encryption - end-to-end encryption (from POS device to card issuer) would prevent hackers from sniffing the data - just as is the case with ATM PINs.

It would be much easier for the government you all demand track down these hackers if you didn't tie their hands with complaints about "privacy" that remove the technologies allowing them to track hackers. You (the people) have to decide - do you want complete privacy or do you want to leave a trail so hackers can be caught? (Remember the Melissa virus? MS got in trouble for encoding mac addresses in Word docs after that, despite the fact it lead to the capture of the culprit who knocked down systems world-wide and cost us all a ton of $/productivity.) The technology is there to protect us, but the reality is we don't want to pay the higher price (monetary and privacy) that is required to take advantage of those technologies. By the way, you doofs who are worried about your personal security, tell the companies you work with to stop running old, unsecure technologies like Windows 2000, XP, IE6, Word 2003...The newer stuff is much more secure and solid DESPITE what the MS-hating press says.

As usual, the American consumer takes it in the a$$ from the financial services industry. They took the easy and cheap way out, and now we all pay for their lack of good judgement and unwillingness to care about their customers. Time to start making some laws to hold these executives criminally responsible for intentionally putting customers and the security of their personal information at risk, as well as their shareholders.

I wonder if the average Joe could increase his security level by periodically requesting new card numbers to be issued. Second, if you kept smaller balances in checking/debit accounts and transferred funds from savings to checking as needed.

I would hope that when perpetrators of this kind of crime are convicted, they receive long and harsh sentences. After all, stealing is wrong (um... duh) and in this particular economic climate, acts such as this demand large and unpleasant consequences.
Of course, if people didn't insist on living beyond their means, there wouldn't be a place for this type of criminal...

Why are these poeple not hunted down and put away for a very long time?

Why don't we as a country stop using these cards? As a retailer, I see how expensive it is for us, yet Visa still advertised the convenience...

For people who don't realize it, the only reason debit and credit cards exist is because somebody figured out a way to make vast amounts of money providing an unnecessary service. The processing companies are raking in billions (out of the pockets of the retailers) and the general public is blissfully unaware that they are contributing to the failure of small businesses all over the country because they insist on using cards for payment.

I worked for the State of Tennessee in 2003 when they routinely contracted out their Medicaid claims processing to the Women's Prison. On the claims, there were SSNs and Doctors' DEA numbers (which authorized them to prescribe drugs)... When we inquired as to the wisdom of such a practice, we were told this is a common arrangement with a huge prison personnel contractor and, 'don't worry', the prisoner processors did not have any writing utensils to copy down the personal information.
The question is how many states are dealing with the prisoner personnel contractors to process personal information?

California law requires disclosure to affected California residents, and may require a fine of $500 each if the data stolen was not encrypted.

I have already seen how much this is costing our bank and how much people are really upset about all of this, I think we need to focus and update our systems to better protect out hard earned money. Or alot of people will start putting their money under their bed like before. Right now that seems alot more safe than banks anymore!!!

The consumer is always the loser. These kinds of reports make me want to switch to cash only transactions; but then I like to withdraw cash from ATMs which are also vulnerable.

Congress, Senate, Pres. Obama, God, somebody help us consumers.

If you can spend hours on making a malicious virus and send to these firms to rip citizens off and take their money, you should be put away for a long time. Your stealing from, from the most part hard working, sweat-shelling people that earn their money. It's very sickening if you ask me!

I hope they get their butts sued off for negligence. Running an open network without encrypting the packets is an open invitation to fraud and they knew it before this happened. Also, these things are so often an inside job. Somebody put that sniffer in the servers and it's a lot easier to do it from the inside than the outside. Pure, unmitigated negligence!

But...but....our government and our banks have said they have protection in place so this kind of thing cant happen. How can that be? Is someone lying to us? Is it possible that the banks are only interested in hiding and protecting themselves? I thought the government had agencies that oversaw the banking industry. Thats what we hear. Is it possible we have been lied to. AGAIN???

Really!?? It is time we all woke up to the fact that these laptop/desktop units we live at are best serving us as a portal to a library. If we all stopped shopping, banking and doing cash transfers on line we could get back to a monetary system based on CASH(since we've lost gold as an assurance). If we do that there will be no more phantom money losses/laundering in the M3, no more "derivitives market" which is like the sale of smoke and mirrors financially speaking. The banking systems worldwide have made credit too easy,always hoping that the new customers would sustain the appearance of growth in our economy.The "growth" that the US banking systems and mortgage lenders presented was too much for legitimate investors to resist so we all get caught up in the scheme!
Cut up your credit cards, get off of online transactions and drive this ponzi scheme that has become our economy back to reality!
Your banker won't do it,Hell he won't even like it, but he won't lend you money either ,So starve him!
Our lives and the freedom of our individual rights hinge on it!

I have been around technology for many years... It's a fact that anyone can do anything at anytime to breach a security hole somewhere in a network. The more touch (or storage) points data has transmitting from point A to point Z, the more likely data will be breached.

I have been around technology for many years... It's a fact that anyone can do anything at anytime to breach a security hole somewhere in a network. The more touch (or storage) points data has transmitting from point A to point Z, the more likely data will be breached.

Man, maybe it's time to just drop the credit and go back to the gold standard.

i FIND THIS RATHER IRONIC HOW THE INDUSTRY IS REQUIRING THE RETAILERS TO COMPLY WITH SOME VERY STRINGENT REGULATIONS (PCI COMPLIANCE) IN CONNECTION WITH CREDIT CARD PROCESSING WHEN THE REAL THREAT RESIDES AT THE PROCESSOR LEVEL WHERE A MOUNTAIN OF DATA IS COLLECTED YET THEY DO NOT SEEM TO BE HELD TO THE SAME STANDARD

"...and she criticized banks as “lazy” for not requiring encryption."

I disagree with this statement. In a private network, you have firewalls, intrusion detection systems, and antivirus/antispyware/antimalware systems in-place so encrypting any data in this network is a moot point. Plus, encryption only prevents man-in-the-middle attacks, not a PC infected with viruses where the data gets decrypted anyways if encryption is used. So the problem is not that there was no encryption, but that information security command-and-control was apparently questionable (at the very least) in Heartland.

It is too easy to say that "encryption" is the solution when the problem was not an attack on the network but a virus infection at the destination (PC workstations) per the statement "Heartland isn’t saying how a computer virus was able to get onto its systems." I believe any article like this should discriminate the problem and solution distinctly and correctly.

maybe the banks could use some of the bail-out funds, to help with the encryption process. after all, we are in-trusting our information to someone who in-turn is in-trusting it to someonelse,it's the same as, in-trusting material things to someone, and they lose it, or let it be stolen, or let it get destroyed, by someonelse, who they in-trusted it to. then somewhere, and somehow, someone should be responsible for it.
in the past 4 years , my #'s have been in three different security breaches,one(1)from the merchant's third party people,resulting in new #'s being issued. and two(2)from visa's third party people.with new #'s being issued on one occasion. so you see i was being serious about the issue. maybe not all from the funds

While hackers are spending all this time,effort, and knowledge learning how to steal from people who work for a living to feed,clothe, and house their families....the goverment should spend there time setting up a security force of the future that does nothing else but track down these thieves and lock them up for a minimum sentences of 20 years without any chance for parole...if the the damage is grater then life without parole.

It cost money to secure those systems! It cost them nothing if you lose your money. Sure, there is some kind of impending liability, but that's a risk most companies are willing to take. I used to work at one of those late night "Knife Show" on cable. I took orders and did customer service work and I can say there was no procedure, save a constant observance by our management, to hide any kind of credit card data or personal information on our internal network. Why? It costs money to do things right...

Each year millions of people are adversely affected by identity theft when information brokers have their security breached. In most cases the authorities are never informed and millions never know that their personal information has been compromised. All the common man knows is somebody got their personal information and stole not only their money but destroyed their credit. They spend untold hours trying to recover their credit and their lives. Meanwhile the very entities who were selling their information for a profit bear no legal or financial responsibility. They simply used their lackadaisical approach to network security to come up with two additional products for which to charge a fee; Identity Theft Protection and Credit Protection Programs. It’s amazing how they can turn what is obviously an inherent responsibility into a fee based service.

I am a small merchant and deal with the credit card processing firm Paymentech. I am horrified by their incompetence.
Twice, they have processed transactions multiple times and it took me a year to get them to correct the mistakes and refund the discounts and service charges levied.
When they changed my merchant number, I was unable to process any transactions while they corrected their mistake. The people at their help desk told me there was nothing they could do and I should call back in the morning.
As for security, I don't have so much as a pin number to protect my account. I have complained to them several times ineffectively. I have been told that I have to trust people and that no one would know how the system worked. I complained to the Bank of Nova Scotia, but they just forwarded me to Paymentech.
There are countless horror stories about them on the internet and I follow the advice found there and move my money out of their reach as quickly as possible.

Heartland's practice of outsourcing computer code overseas because of quick turn around times has come back to bite them. The code is sloppy, error prone, and doesn't have basic error checking imbedded. In other words, they got what they paid for, but now we are paying the real price!