Today's the Deadline for Filing Heartland Fraud Claims - Now What?
At times it seems we know more about how the Heartland breach was pulled off than how banking institutions can recover losses from it.
This has been a confusing process for banking institutions, many of whom found out from us - not from Visa -- about the opportunity to file claims. And even then the news was revealed quietly, in a letter to card-issuing banks, telling them:
- Heartland is now "in a probationary period" and subject to several risk conditions, including "more stringent security assessments, monitoring and reporting."
- Heartland's sponsoring banks will be assessed undisclosed fines as a result of the data breach.
- Card issuers can recover an unspecified portion of losses connected to the Heartland breach, but they face the May 19 deadline to file their claims with Visa.
Since then, we've learned that Heartland is now off "double secret probation" with Visa - it's back on the "good list" for PCI compliance, but we've heard very little about how institutions should go about filing claims. All Visa ever said was "see your regional Visa representative."
Problem is: Many institutions have no clue who their regional representative might be.
As I've traveled the country the past couple of months, I've heard consistent complaints from banking/security leaders decrying the communication - lack thereof - from the major credit card companies. "Who do I talk to at MasterCard or Visa?" "How do I file a claim?" "Exactly how much detail do I have to go into on each compromised account?"
It's been a nightmare for many institutions. As one leader wrote to me, "I know that we have until May 19th to submit a claim to Visa regarding the losses that we experienced, but we haven't been able to determine how to file the claim. Are you aware of how we would submit our claim or do you have a website that we could access to figure out what we need to do?"
Another leader managed to file a claim w/MasterCard, but then found out he didn't do a thorough enough job and had to go back and revise all his paperwork. "We are finding more and more, certainly through this process, that even [credit card company] officials are not familiar with the process, which makes it even harder," the author writes. "Not to keep whining to you ... just wanted you to see how work intensive this continues to be and what a nightmare it is!"
Nightmare, indeed. At times it seems we know more about how the Heartland breach was pulled off than how banking institutions can recover losses from it.
Here's what we do know about Heartland: To date, more than 600 banking institutions have volunteered to us that they were impacted by the breach, and many of these institutions have had customers who've experienced real fraud as a result. To prove that each of these fraud incidents is a direct result of the Heartland breach? Tricky, time-intensive work, and I suspect it may take some institutions a bit longer than today's deadline allows. Hence, continued frustration from the banking community.
"May 19th? Don't hurt yourself!" writes one reader. "I love it when I see Visa put more pressure on the victims, but yet nothing happens to their internal procedures. Does 'Practice what you preach' come into play? I'm a firm believer that if we ever saw a deadline put on Visa ... you'd hear nothing but crickets."
And so it goes. Heartland has proven to be the story of the year - a gift to news organizations such as our own. But for banking institutions? It's the theft that just keeps on taking, tapping into more time and resources than anyone truly can spare.