There are so many opinionated misstatements in this article I don’t even know where to begin.

Opinionated – of course. Most blogs are and I make no claims that mine is not.

First, the lack of information on the breach is not from a mysterious “shroud” of “corporate secrecy” but due to the lack of hard evidence on how much data was stolen. Data doesn’t sit on the shelf like a physical object. The malware hackers are using is sophisticated enough to hide itself and prevent data forensics experts from knowing what actually happened. Putting the pieces together to determine how much data was stolen is not as simple as you think.

This was likely the case with another major data breach that occurred in 2008 in which the processor involved has not even announced the breach.

I don’t think for a minute that it’s easy and I’m also well aware that the hackers are more sophisticated than most of the people trying to catch them. Please don’t tell me that there isn’t a “shroud of corporate security” (your words, not mine) and in the next paragraph tell me that there was another major breach in 2008 that has yet to be disclosed. I think I see a bit of secrecy there. And then there’s Heartland’s very obvious attempt to withhold information with statements like the breach went on for “more than weeks” and their total silence on the number of accounts potentially exposed even as the affected issuers are, to some extent, coming clean.

Related to the undisclosed breach, If you read my March 3rd entry (http://www.merchant911.org/blog/index.php/2009/03/03/data-breach-double-talk-spin/)
you’ll see that I’m aware of a lot of speculation on that incident. Visa did a (opinionated) very poor job of (/opinionated) denying that there was one. If I assume that you are someone in the industry rather than another blogger with “opinionated misinformation,” then I can consider your comment as a verification of that breach – and a confirmation of my opinion that Visa is lying about it. A legitimate question for you, if you will, why hasn’t that processor disclosed?

Then, you talk about the card “companies”, in which you mean the CARD ASSOCIATIONS, Visa, Mastercard, Discover, etc. and their relationship with acquirers such as Heartland and issuing banks.

You are quite correct but, for the record, I’m quite aware of it. I couldn’t help but absorb that distinction in the 8 1/2 years I’ve been working with e-commerce merchants. I used those words with the idea that some of my readers might not know what I meant when I referred to the Association. A matter of semantics in this case. If you look at most of the pres releases out there, you will see that the Associations are usually referred to as ‘credit card companies.’ I’m certainly not alone on that one.

This is all wrong.
Card associations do not fine issuing banks for fraudulent activity or data compromises. Fines for data compromises affect the acquirer and the acquirer may pass these fines on to the merchant when the merchant is responsible. In this instance, no merchant was responsible for the data breach so the fines (when they are announced) will be absorbed by Heartland. The issuing banks deal with fraudulent activity as a result of any data compromise between the card holder and the merchant. Chargebacks may affect some merchants, but most likely, the distribution of these card numbers around the world will make the impact on US businesses almost non-existent. The effects have been felt mainly by card holders.
Everything you said in that paragraph is wrong. You might consider deleting this entire post or checking ALL of your facts first.

I do stand corrected on the “issuing bank” statement and will shortly edit the paragraph accordingly. What I should have said is that fines are being issued to Heartland’s sponsoring banks.

You are also correct that effects have been felt by cardholders but I refuse to consider them as victims in all this. Just last week I received a new debit card telling me that my old one may have been breached in the Heartland incident (yes, my bank named names.) That hardly makes me a victim. Even if my card had been used fraudulently I wouldn’t consider myself a victim of anything but the inconvenience of calling my bank to report the fraud.

Bu then again, I didn’t make any statement about who’s a victim of what, only that the mess wil be very expensive.

There’s enough blogging and news media on this topic already. Do some research and get your facts straight.

I do a lot of research but the sources that I have are a bit limited. They are, after all, pretty much limited to blogs and the press. We certainly are not getting a hell of a lot from the industry.

First, the lack of information on the breach is not from a mysterious “shroud” of “corporate secrecy” but due to the lack of hard evidence on how much data was stolen. Data doesn’t sit on the shelf like a physical object. The malware hackers are using is sophisticated enough to hide itself and prevent data forensics experts from knowing what actually happened. Putting the pieces together to determine how much data was stolen is not as simple as you think.

This was likely the case with another major data breach that occurred in 2008 in which the processor involved has not even announced the breach.

Then, you talk about the card “companies”, in which you mean the CARD ASSOCIATIONS, Visa, Mastercard, Discover, etc. and their relationship with acquirers such as Heartland and issuing banks.

This is all wrong.

Card associations do not fine issuing banks for fraudulent activity or data compromises. Fines for data compromises affect the acquirer and the acquirer may pass these fines on to the merchant when the merchant is responsible. In this instance, no merchant was responsible for the data breach so the fines (when they are announced) will be absorbed by Heartland. The issuing banks deal with fraudulent activity as a result of any data compromise between the card holder and the merchant. Chargebacks may affect some merchants, but most likely, the distribution of these card numbers around the world will make the impact on US businesses almost non-existent. The effects have been felt mainly by card holders.

Everything you said in that paragraph is wrong. You might consider deleting this entire post or checking ALL of your facts first.

There’s enough blogging and news media on this topic already. Do some research and get your facts straight.

That’s true for on-line merchants. Fortunately for us, the Heartland breach involved track 2 data which allows cloning of the mag strip and I think we’ll see more Card Present fraud.

Also, since this DID involve track data, the banks have been more proactive in replacing cards – as you would expect them to do when they can’t pass the loss on to the merchant.

But aren’t the banks charging the merchants at the end with chargebacks, or they’re eating up the losses?