Heartland Data Security Breach- what they didn’t say

When your read their press release, their is barely a hint that any harm occurred.  But what the press release doesn’t spell out is the data that has been compromised and how it was compromised.

Visa and MasterCard received reports of fraudulent card use by their issuing banks last November and subsequently notified Heartland, according to a Washington Post report. Heartland didn’t even realize they had a problem.

The problem was internal. It was not an external attack, but the result of spyware being placed within their own internal systems.  Heartland’s CEO says a piece of spyware stole payment card data as it passed through the company network. Everyone passes encrypted data to their processor, but what happened to the data once it reached Heartland? Why is this an important difference? We like to think our databases our secure from certain outside hacker attacks into companies that have installed specific systems and software solutions for protection. If an outsider can hack into a secure system that has done everything correctly, then the world of data security is lost.

You really have to read between the lines to figure out what was compromised. Their press release is all about what wasn’t lost. Those behind the breach intercepted and stole the so-called Track 2 data from the magnetic stripe on the back of cards, which is all that’s needed to create counterfeit cards.


If you visited a merchant who uses  Heartland for payment processing, and you have no way of knowing this, your card data may have been compromised. Your card could be cloned and presented for payment to other merchants. Identity theft is not expected to be an issue. Watch your statements for improper activity or replace your card. Heartland has over 250,000 merchants, many of whom are restaurants and hotels. Consumers have no financial liability.


Merchants have no financial liability. Merchants may have to download a software update, though there has been no release of any information related to this from Heartland yet. It’s possible there may be none. If a download is needed, this could be a nightmare with so many merchants needing to simultaneously update. Since many use third party solution in the restaurant industry, the burden shifts to those third party suppliers in some cases.

Do merchants have an obligation to notify customers? No, the data breach is not theirs and they would have no way of knowing personal information about their shoppers.

Should merchants change processors. That’s a personal decision. Read the next section.


What will it cost? If a merchant is non-compliant at the time of a breach, merchants can be fined up to $500,000 per incident and face remediation costs between $90 and $302 per card. With over 100,000,000 transactions monthly, there are probably at least that many cards exposed- do the math. The cost could be astronomical unless they are protected by safe harbor.

Safe Harbor

Visa defines safe harbor as the following:
“Safe harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor status:

1. A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.

2. A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.”

If they are protected by Safe Harbor, they still must pay to replace all cards.

If they are not protected by Safe Harbor, can they afford the fines and costs? If not, what will happen to the merchants processing with them?

2 thoughts on “Heartland Data Security Breach- what they didn’t say

  1. You have to be kiding me!

    “According to the Washngton Post”…well, you said it.

    Christine, you have to get your facts staright. There are no software downloads needed. Merchants face no fines. Heartland is 100% Compliant. You have probably been breached by now as well and you either don’t know it or are hifding it. Actually, you aren’t even a processor…nor is the ISO you buy from. You can bet that First Data has been breach and not disclosed it though.

    Typical ISO propaganda…

  2. My article was meant to deliver more information than Heartland Payment Systems has been giving people- straight talk.
    I didn’t say a software download was needed. Nobody knows if one will be needed; I’m merely stating the obvious that it’s possible.
    “merchants can be fined up to $500,000 per incident and face remediation costs between $90 and $302 per card”. This was a typographical error. Taken in full context of the text above and below, it’s apparent that I’m referring to the merchant service provider, not the merchant. The text is under the heading IMPLICATIONS FOR HEARTLAND. Under IMPLICATIONS FOR MERCHANTS I’ve clearly stated that Merchants have no financial liability.

    With the correction of the last item, I stand by the accuracy of my article.

    Who I am is very clear- just read the ‘about us’ page.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.