Heartland Breach Blamed for Failed Membership Renewals - Brian Krebs | Security Fix

In February, Bill Oesterle began seeing nearly twice the normal number of transactions being declined for customers who had set up auto-billing on their accounts. The co-founder of Angie's List -- a service that aggregates consumer reviews of local contractors and physicians -- said he originally assumed more customers were simply having trouble making ends meet in a down economy.

But as that trend continued into March and April, the company shifted its suspicions to another probable culprit: credit card processing giant Heartland Payment Systems.

The data breach last year at Heartland -- a company that processes roughly 100 million card transactions a month for more than 175,000 businesses, has forced at least 600 banks to re-issue untold thousands of new cards in a bid to stave off fraud.

For consumers, receiving a new credit or debit card number means contacting companies that have those credentials on file to charge for monthly or periodic bill payments. Less well understood, however, is the economic impact that large scale processor breaches and the inevitable waves of re-issues by banks may have on companies when customers simply fail to reset that automatic billing when they receive a new card number.

The Heartland breach happened late in 2008 and was quietly announced in late January. Since then, Oesterle said, Angie's List has seen an increase of two to four percentage points in the rejection of auto-billed payments.

"We estimate that we're seeing an impact of perhaps as much as $1 million in revenue as a result of the increased turnover in card turnover," Oesterle said.

Oesterle said the possibility of the Heartland breach as the source of the increased turnover became clear at a recent staff meeting, when he discovered that three out of four of the people around the table had recently been re-issued new credit cards by their banks, which had attributed the action to the Heartland breach.

"So we started doing some random sampling, and took a look at people [whose cards were] being declined, and started contacting them," Oesterle said. "Most of the people we contacted said they were happy with the service, but had had their credit card re-issued by their bank as a result of the Heartland breach."

The trouble is that convincing customers who had once set up auto-billing to reestablish that relationship after such a disruption is tricky, as many people simply don't respond well to companies phoning or e-mailing them asking for credit card information, Oesterle said.

"We have processes in place to track these rejections that allow us to go back to members, asking for updated information, but we generally accept that some rejected auto-bills will never be recouped," he said. "We'll work hard to re-capture those members, but it will cost us additional resources to do so - and some will be lost."

Avivah Litan, a fraud analyst with Gartner Inc., said no doubt much of the attrition companies like Angie's List are seeing is in fact due to cards being re-issued by banks in response to the Heartland breach. But she said Heartland is likely also being wrongly blamed as the source of cards compromised in other -- less publicized -- data breaches that happened at the same time.

Continue Reading at Security Fix

Visa Yanks Heartland, RBS WorldPay Compliance Status

Bank Technology News | March 2009

By Rebecca Sausner

Visa pulled Heartland Payment Systems and RBS WorldPay from its list of PCI compliant service providers, placing the two on probation until they close the holes that led to the massive data breaches reported in January and December. Both continue to serve as processors in the Visa system.

“Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a Qualified Security Assessor. Visa will consider re-listing both organizations following their submissions of their PCI DSS reports on compliance,” Visa said in a written statement.

Continue Reading at Bank Technology News

Here's a follow-up to the Wyndham Breach

It seems that the criminals not only were able to get guest names, credit card numbers and expiration dates,  but they also were able to steal the data from the card's magnetic stripe, Wyndham said.  That magnetic stripe information contains Track 1 and Track 2 data including the (CVV) code, "which is critical if the thieves want to make fake credit cards, according to Avivah Litan, an analyst with Gartner Research."

"That's the hot information," she said. "You can sell that information for much more on the black market." CVV codes were also taken in the high-profile Heartland Payment Systems and The TJX Companies credit card thefts.

When fraud is perpetrated using fake cards that include the CVV codes, the banks are responsible for the charges;

When they are able to obtain only the card numbers and expiration dates -- for example,online transactions NOT DONE by HomeATM -- then the retailer is responsible for the charges.

"The banking industry is all up in arms whenever bank stripe data is stolen," Litan said.  

As posted in "DumbPhoneded" the retailers should be up in arms everytime a transaction is conducted without the  Track 2 data being swiped.  Not only are they paying up to 100 basis points more, but in the face of increased fraud, they could lose their product and lose the money they thought they got for it.  Call that a double whammy, no cheese.