Heartland Settles Consumer Class Action Lawsuits

On Monday, Reuters news service reported that credit card processor Heartland Payment Systems Inc. has agreed to settle its consumer cardholder class action lawsuits related to the company's data breach. Heartland has agreed to:

"... pay up to $2.4 million to class members submitting valid claims. Heartland agreed to pay a minimum of $1 million to class members and take up settlement-related administration costs, including up to $1.5 million for the cost of notice to the settling class. The company will pay up to $760,000 of the costs of attorneys representing the class members. Heartland said it could terminate the deal if costs of notice exceeded $1.5 million, or if it received more than 2,500 requests for exclusion from the settlement class."

The settlement deal includes consumers whose credit and debit cards were compromised between Dec. 6, 2007 and Dec. 31, 2008, plus consumers who have alleged that they have suffered fraud losses.

Last week, Heartland agreed to pay $3.6 million last week to settle claims with American Express Company.

Heartland To Pay American Express $3.6 Million For Breach

Last week, PC World reported:

"Heartland Payment Systems will pay American Express US$3.6 million to settle charges relating to the 2008 hacking of its payment system network. This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year."

Heartland processes credit card and debit card transactions. Typically after a breach banks and credit card issuers incur expenses to delete the compromised credit card accounts and issue new credit/debit cards to consumers. So, it is appropriate for Heartland to reimburse the credit card brands and credit card issuers.

"Heartland has also had to pay out fines assessed by other brands such as Visa and MasterCard. Typically, these card brands levy fines against those responsible for data breaches."

Earlier this year, the company set aside over $12 million to cover fines and other breach-related expenses. In February of 2009, at least two class-action lawsuits were filed against Heartland. By Une, about 31 lawsuits had been filed.

Frontline: "The Card Game"

Prior posts in this blog have covered the excesses by banks with consumer credit cards. Frontline's "The Credit Card game" program debuted yesterday. I highly recommend this excellent program:

"As credit card companies face rising public anger, new regulation from Washington and staggering new rates of default and bankruptcy, FRONTLINE correspondent Lowell Bergman investigates the future of the massive consumer loan industry and its impact on a fragile national economy. In The Card Game, a follow-up to the Secret History of the Credit Card and a joint project with The New York Times, Bergman and the Times talk to industry insiders, lobbyists, politicians and consumer advocates as they square off over attempts to reform the way the industry has done business for decades."

If you want to learn about the ways banks have rigged the financial system against consumers, watch this program. In an interview during the program, Nessa Feddis, a lobbyist from the American Bankers Association, made some totally irritating comments.

Check your local PBS station for more broadcast times, or watch the Frontline program "The Card Game" online.

When You Should Close A Credit Card Account

In the comments section of a prior post about large interest rate increases by banks and credit card issuers, Vikki, a reader asked:

"Doesn't closing your credit cards bring down your credit score? This is the only reason why I haven't closed my cards... just paying them off and not really using them."

Vikki asked a great question, which I want to answer more completely. We all have felt "mugged" by the recent large interest rate increases, credit limit decreases, or both -- especially when you have an excellent payment history. The temptation -- or reaction -- is strong: to close the credit card account. Regardless, you don't want to make a bad situation worse by closing a credit card account and later learn that it was a mistake.

To learn more about credit scores, I spent some time reading the MyFICO.com Web site, which is run by the Fair Isaac Corporation, the same company that ownes the FICO score formula. At the Web site, you can learn about the factors your credit score includes and the factors your credit score excludes.

The site also has a page about whether closing a credit card account will negatively affect your credit score. A decision to close a credit card account should consider:

• The outstanding balance amounts on your credit cards
• How much of those balances you can pay off now
• The interest rates on your credit cards
• Your "utilization rate" -- how much of the total available credit you use with your credit cards
• The annual fees on your credit cards
• If you will need credit in the near future
• If you have several credit cards, which credit card account you want to close

Your utilization rate is important. It is one of the factors used to calculate your credit score. A high utilization rate will negatively affect your credit score. For example: closing a credit card with a $5,000 limit means you would have $5,000 less in available credit. If you have two credit cards each with a $5,000 credit limit and you owe $2,500 on your second card, then your utilization rate went from 25 to 50 percent. That would negatively affect your credit score.

Only you know whether or not you will need credit in the near future. If you plan to buy a house or a car soon, then you will probably need credit unless you can pay with cash. If you close a credit card account and that results in a lower credit score, then it could cost you more money on your new loan.

The MyFICO site has data tables that show the impact of a lower credit score. For example, if your credit score dropped 15 points -- say from 770 to 755 -- it could result in a higher interest rate and monthly payments on a 36-month auto loan. You can view data tables with credit scores and corresponding interest rates and monthly payments for auto loans, mortgages, and home equity loans.

Over at the Red Tape Chronicles blog, Bob Sullivan summed up the problem facing consumers:

"No one can say precisely how much closing a credit card account will hurt your credit score -- too many other dynamic factors go into calculating the number. Fair Isaac, which owns the credit score formula, says the impact can range from zero points to dozens of points..."

If you decide to stop using a credit card instead of closing that credit card account, then your decision could have negative consequences. Some consumers have reported that their bank or credit card issuer (e.g., HSBC, Citibank, American Express) has closed unused credit card accounts, often without notice. That credit card account auto-closed by your bank could drive up your credit utilization rate and negatively affect your credit score. So, check the fine print in your card agreement before you stop using a credit card.

After reading the MyFICO Web site, I remembered some credit decisions I made about 12 years ago, At that time, I had five credit cards with a combined outstanding balance of $18,000. For me, I had too much credit card debt and it had become unmanageable. I didn't need more credit and didn't want any more credit. 12 years ago, the Internet then wasn't the robust research source it is today. I met with a credit counseling agency to get some sound advice. What worked for me: I closed three credit card accounts, negotiated a lower interest rate on one card, halved the credit limit on one card, stopped paying off old credit card balances with new cards, stopped using my credit cards for cash advances, and paid off the highest interest rate card first. I didn't consider the negative impact on my credit score. I was focused on the benefits of living debt free with less stress.

In time, I was able to pay off all of that credit card debt. Today I have zero credit card debt and a credit score above 790. I had it easier than many people since the interest rates on my credit cards were not as high as the outrageous 29.9% today on some credit cards. Today, I pay off my credit card bills in full and on time each month to avoid finance fees. The two credit cards I have are manageable. If either of these cards raise their annual fee in the future, I will switch to another low-annual-fee card and close the offending card account.

Basically, the decision to close a credit card account depends upon your situation. The closed credit card account would be a reduction in credit that could have a big impact on your credit score and on your finances. Make the decision that best benefits you.

Banks Consider Large Annual Fees For Credit Cardholders Who Pay Off Balances

Do you have flawless credit? Do you pay off your credit card balances in full and on time every month? Watch out, you could get "mugged" by your bank.

CBS TV 2 in New York reports that Bank of America and Citigroup are considering annual fees of $29 to $99 per year for credit cardholders who pay off their balances every month in full and on time:

"Bank of America started notifying customers that they will be charged a new annual fee of $29 to $99... Bank of America said in a statement: "At this point we're testing the fee on a very small number of accounts and haven't made any final decisions." Citigroup is also trying out an annual fee with some card holders, and analysts expect more banks to follow their lead. The banks are starting to charge fees to reliable customers in response to a slew of new credit card industry regulations that will limit when banks can hike interest rates."

Consumers who don't accept the higher annual fees must close their credit card account and shop around for a new credit card at another bank.

I find the arrogance of this astounding. If the bank is serious about testing consumer reaction, all they need to do is read the comments by readers on prior I've Been Mugged blog posts about the higher interest rates announced back in February. The banks must be desperate for revenue to cover poor decisions they made about bad debts and risky investments.

Meet The Banks And Credit Card Industry

Are banks the new loan sharks for the 21st century? Despite the new law as some banks slowly loosen credit, so far in 2009 we consumers have experienced huge increases in credit card interest rates, lowered card limits, higher fees, more fees, and constantly changing due dates --  all of this after bailouts and bonuses in 2008.

For more humor about banking and other topics, visit Daryl Cagle's Political Cartoonists Index.

How Much Is A Stolen Credit Card Worth On The Black Market?

The news media has covered very well the Gonzalez- led theft of 130 million credit card numbers. What is this information worth to criminals? In other words, what does this stolen information sell for?

According to a post on VirusList.com dated Aug. 17, 2009, U.S. consumers' Visa credit cards are worth about $2 each. While analyzing virus software, Kaspersky Lab virus analyst Dmitry Bestuzhev found a Web site with pricing information for stolen credit cards. German credit cards, at $6 (USD) each, fetch the highest price at piece. With technical support and a sliding scale of prices, this appears to be organized business.

It appears that the price also varies by order size. CBC News Canada reported:

"Stolen credit card numbers now go for as little as six cents each, if they're bought 10,000 at a time. The price can be $30 US per card for smaller orders. Access to hijacked email accounts can cost 10 cents to $100, while bank account credentials range from $10 to $1,000. Scammers can hire people to "cash out" compromised bank accounts for between eight per cent and 50 per cent of the amount they're stealing. Hosting for scam websites ranges from $3 to $40 per week."

That implies that the 130 million credit card numbers stolen by the Glonzalez-led theft ring are worth about $7.8 million (USD) on the black market, if purchased in bulk.

The Places Where Stolen Card Data Will Go

The Credit Card Industry Struggles With Keeping Consumers' Data Secure

The last few weeks have included a huge increase in identity-theft news. First, we consumers heard on August 17 about the indictment of three hackers -- a Miami man and two Russian accomplices -- in what is probably the largest data breach and theft in the USA. More than 130 million debit and credit card numbers were stolen.

This latest theft of 130 million card numbers covered data breaches from 2006 to 2008 for companies including Heartland Payment Systems, a card payment processor, and retail chains 7-Eleven Inc and Hannaford Brothers. The Heartland breach has affected dozens of banks nationwide.

Second, we learned that this the Miami man, Albert Gonzalez, was also a former government informant for the U.S. Secret Service since 2003 and was already known to government officials, and already in prison for a series of eight retail hacks affecting and additional 40 million credit cards. The thefts of those 40 million additional cards included retail companies such as BJ's Wholesale Club and TJX Companies/T.J.Maxx. So one man (with help from some friends) stole more than 170 million debit/credit cards.

How do three people steal 130 (or 170) million credit cards? Third, we started hearing technical terms like the "SQL injection" technique the criminals used to exploit weaknesses in the way computer system developers write code for credit card databases. According to InternetNews:

"For his crimes, if Gonzalez is convicted in the Heartland incident, he'll face a fine of at least $250,00, and up to 25 years in prison. Gonzalez had servers in California, Illinois, Latvia, the Netherlands and Ukraine..."

Sounds to me like far more than three people are involved. You don't simply set up servers in multiple countries without some help. This theft smells like an organized business. I want law enforcement to capture and prosecute other criminals worldwide (e.g., Hacker-1 and Hacker-2 who are in or near Russia) who aided the thefts and/or resold the stolen data.

Fourth, details then began to emerge about the breaches at specific companies:

"... Dallas-based 7-Eleven, while confirming security breaches, said that only ATMs at some stores were affected... Moreover, the Dallas chain would not say where the affected stores were.... A 7-Eleven statement said the chain became aware of attacks in late 2007, saying they had occurred Oct. 28 through Nov. 8. The indictment said the chain’s network was breached from August 2007... Each card-issuing company made its own decision on what action to take, including replacing cards or putting card numbers on an alert for fraud..."

Like a bad screenplay, we further learned that Gonzalez went by the "soupnazi" online alias and he:

"... reportedly became an informant for the Secret Service in 2003, helping in a sting of a cybercrime syndicate, known as Shadowcrew.com. But afterward, Gonzalez re-established his own hacking group, called "Operation Get Rich or Die Tryin," according to Threat Level..."

Perhaps most troubling:

"Accomplices to the crimes are believed to be on the loose in Russia or other countries where U.S. authorities are less likely to get them. And the underlying security holes mined by the hackers still exist in many payment networks."

Most of this was summarized nicely in the New York Times:

"The financial stakes are getting higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research."

You may remember that the breaches at Heartland and Hannaford occurred while both companies were supposedly within compliance to security requirements. Again, from the New York Times:

"Those standards were set by a council that includes the world's two largest credit card networks, Visa and MasterCard Inc; fast-food leader McDonald's Corp; oil major Exxon Mobil Corp; and big banks Bank of America Corp and Royal Bank of Scotland Plc... Yet some 5 percent of the largest retailers and restaurants still have not met compliance deadlines set in 2007, according to Visa."

Clearly, the security standards are insufficient and need to be strengthened. Then, we learned that J.C. Penny, Target, Boston Market, DSW, Office Max, Barnes & Noble, and Sports Authority were affected by the Gonzalez-led breaches. By the end of the week, Gonzalez pled guilty to several charges about the breaches, and would get a maximum of 25 years in prison.

Meanwhile, the banks, credit card networks, and retailers argue about the appropriate security standards and who should pay. What should consumers do?

We consumers can't control the squabbles between the banks, credit card networks, and retailers. We can control which cards we use and when. My advice is this:

1. Shop online with your credit card, since that gives you more protection than a debit card.
2. If you can, use cash for in-store purchases, or use a credit card. Why? Retailers are not honest and transparent about informing consumers of breaches or about which stores in their chain are problematic. (Remember, not all states have data breach notification laws.) And, the credit card industry still hasn't solved its security problems. See this blog post above.
3. Use your debit card at your bank's ATM machines. Regardless of those entertaining Visa and MasterCard advertisements on television, the system isn't as secure as it should be. I avoid ATM machines in convenience stores, and try to use ATM machines only in my bank's branches.
4. Review your monthly credit card statements, since some fraud shows up as tiny charges first (e.g., 25 cents) and since you may spot fraud first. Don't rely on your bank spotting it first. If you spot fraudulent charges, report it quickly to your bank or credit card issuer.

Capital One Wants To Decide What's In My Wallet

Way back in February 2009, I wrote about the Capital One notification I received about a huge interest rate increase on my Visa credit card. Back then, guest author Bill Seebeck also wrote about the huge interest rate increases the banks and credit card issuers were implementing.

Last weekend, I received a letter from P. Taylor Jamison, the Director of Accounts at Capital One:

"Dear George Jenkins,

Ready to enjoy more buying power? Well, grab your shopping list and your Capital One card because: Your credit line has been increased by $5,000.00... If you want to unload some higher interest rate balances and possibly enjoy more time and money for yourself, well -- your new credit line can help with that, too. You decide... Thanks for being our customer. We hope you enjoy your new credit line increase!"

Well, I sincerely appreciate Capital One for extending me more credit. I didn't ask for the credit line increase, but Capital One seems happy to provide it and decide what amount of credit is in my wallet. I guess that the Obama Administration's bailout program money (Capital One received $3.5 billion) is finally flowing to consumers... 6+ months later.

Unload higher rate balances? My Capital One Visa interest rate (17%) is the highest rates I have. I don't have any loans nor credit card balances with higher interest rates. So, there's nothing for me to transfer or unload.

On Monday I called the Capital One Customer Service to see if they could really help me. A very nice woman, Alina answered the phone. I asked Alina to reduce my credit line since I don't need $8,000.0 amount of credit. I sincerely appreciate the increase, but don't need that much credit. Alina was very polite and adjusted my credit line immediately.

While discussing this, I asked Alina to reduce my interest rate also, since Capital One obviously considers me a good customer. Alina said that she couldn't lower my interest rate and that I'd have to speak with a supervisor.

A couple minutes later the supervisor, Carol, joined the phone call. I repeated my request to see what Capital One could do for me, like a lower interest rate instead of the higher credit limit I didn't need. I reminded Carol that Capital One had increased my Visa interest rate in March by a lot, and a point or two reduction now would mean a lot.

I added that the higher rate has scared me from using my Capital One Visa credit card. Their card is basically no longer in my wallet.

Carol seemed to understand and empathized. After checking her files, she said that while I have been a good customer since 1994 Capital One wouldn't lower my interest rate at this time. Maybe a lower rate in the future. She said she could convert my card to a Rewards card with either frequent-flyer miles or 1% cash back. I thanked her for the Reward offer and replied that I'd keep using my Discover card since it pays me 5% cash back.

My point for sharing this story: we consumers decide what's in our wallets (and purses). Given the high interest rate and low cash-back payments, my Capital One Visa is not in my wallet. It could return to my wallet, but Capital One will have to make it worth my benefit.

10 Things You Should Know To Protect Yourself From Identity Theft

Over at WalletPop, there's a good list of tips for consumers about how to avoid identity theft and fraud:

1. Thieves don't need your credit card number in order to steal it. Conversely, they don't need your credit card in order to steal your identity.

2. The non-financial personal information you reveal online is often enough for a thief. Beware of seemingly innocent personal facts that a thief could use to steal your identity. For example, never list your full birthdate on Facebook or any other social-networking Web sites.

5. If an ATM or store terminal looks funny, don't use it. "Make sure there is no device attached to any ATM card slot... As a general rule, the mouth of a card receptacle on an ATM machine should be flush with the machine or have only a very slight lip.

8. Pay attention at the checkout line. If a cashier or salesperson takes your card and either turns away from you or takes too long to conduct what is usually a normal transaction, she may be scanning your card into a handheld skimming terminal to harvest the information. But they... can take a picture of the front and back of your card with a cell phone or merely swap out cards.

One protection tip that hadn't occurred to me when traveling on vacation or on business:

"... cut up your used hotel key cards when you check out... since these keys contain important information about you and your finances, including your name, address, phone, and the credit card you used to pay for your room. When you toss them out or leave them lying in the hotel room, anyone can pick them up and use them to steal your identity,"

To read the entire list, visit the WalletPop site.

Banks: The New Loan Sharks & Extortionists of the 21st Century?

[Editor's Note: today's blog post is by guest author William Seebeck. During the 1980's, Bill and I worked together at Lexis-Nexis in Dayton, Ohio. Bill has a wealth of experience in online systems, banking, publishing, and public relations. Bill also blogs at Seebeck's View.]

By Bill Seebeck

Well, here it is the 21st of June. It's Father's Day.

Yet today, millions of credit card holders that have received notices from their banks since June 1st, know this is the beginning of a new cycle in which the percentage of funds due monthly on their accounts has doubled. Instead of having to pay 3% of their total amounts due, they will now have to pay 6% and for some of them at an interest rate upwards of 29%.

You know, I bet there are still some guys in prison doing time for loan-sharking in this country. What's a loan shark? That's someone who charged greater than a rate considered just by the society. That rate before the banks and Congress changed it used to be 23%. It was called the usury rate.

The Catholic Encyclopedia states that usury is a sin and frankly is so in every major Abrahamic religion. "...Lending money at interest give us the opportunity to exploit the passions or necessities of other men by compelling them to submit to ruinous conditions...[Usury has been defined] as the abuse of a certain superiority at the expense of another man's necessity... It is in itself unjust extortion, or robbery."

So, who are the loan sharks now? Who are the extortionists?

What's extortion? Findlaw states, "Most states define extortion as the gaining of property or money by almost any kind of force, or threat of (1) violence, (2) property damage, (3) harm to reputation, or (4) unfavorable government action. While usually viewed as a form of theft/larceny, extortion differs from robbery in that the threat in question does not pose an imminent physical danger to the victim..."

I think it is fair to say that demanding high monthly minimums at interest rates up to 29.99% can be viewed by the "card holder" as threatening. Failure to pay can result in harm to their reputations in the form of credit scores and possible default, and in this world, "no credit" can put a person and their family on the street in a nanosecond.

So, if you think that the banks are OK and that everything has changed, you are living in a world of dreams. Take a look around your neighborhoods and see how many empty stores there are and how many people are out of work. In part, it is because of what some banks did and what some banks continue to do.

What they are doing is squeezing, you, the public for their own benefit.

Definitely actions that are not in the interest of the public good.

Who are their monitors? Where are their monitors? How do they continue to get away with this stuff?

I'm upset by this, are you?

By the way, Happy Father's Day!

Copyright 2009 WBSeebeck. Reprinted with permission.

Updates On The Heartland And RBS WorldPay Lawsuits

When I have read news reports during the past few weeks, I get the impression that executives at Heartland Payment Systems and some banks are happy to act as if the Heartland data breach never happened; to avoid telling credit cardholders details about the Heartland data breach. To me, this attitude is totally unacceptable. Plus, several states require the notification of consumers.

On Thursday last week, SC Magazine reported:

"A federal court body ruled this week that litigation facing two payment processors, Heartland Payment Systems and RBS WorldPay, will be consolidated. In separate judgments, the U.S. Judicial Panel on Multidistrict Litigation decided this week that lawsuits against Heartland will be heard in Texas, while action against RBS WorldPay will be moved to Georgia. Thirty-one separate lawsuits, on behalf of consumers, investors, banks and credit unions, have been filed against Princeton, N.J.-based Heartland, which disclosed in January that its systems were breached. Heartland did not say how many records were compromised, but some estimates placed the number around 100 million, making it the largest reported data breach in history."

That would make Heartland's breach bigger than the TJX Companies / TJ Maxx data breach (90+ million records). I am watching these lawsuits closely, since Heartland was supposedly PCI compliant while its breach occurred. I also believe that the immense size of these data breaches warrants strong consequences for the executives at both companies. Monetary fines, and a temporary removal from Visa's list of PCI-compliant firms, are not strong enough consequences.

All of this has consequences for consumers. In yesterday's blog post, the Associated Press summed up the situation for consumers: every time you pay with plastic, chances are that retailer is gambling with your sensitive personal data.

Weak Data Security Facilitates Data Breaches By Retailers

Yesterday, the Associated Press released its finding of an investigation into data breaches since 2006 and Payment Card Industry (PCI) compliance by retailers. The key findings:

"The government leaves it to card companies to design security rules that protect the nation's 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst...More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers... many others likely have been breached and didn't detect it."

I've written previously about data breaches at debit/credit card payment processors that were audited and supposed to be PCI compliant. Too many retail companies are still not compliant with PCI standards:

"... one in 10 of the medium-sized and large retailers in the United States — face fines but are left free to process credit and debit card payments. Most retailers don't have to endure security audits, but can evaluate themselves."

Combine this with the fact that 20% of information technology professionals lie on data security audits, and you have a culture focused on making money and not protecting consumers sensitive personal data. Perhaps the damning part:

"Credit card providers don't appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost."

The consequences tor consumers:

"It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you'll spend weeks straightening your mangled credit, though you can't be held liable for unauthorized charges. Even if your transaction isn't hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud."

many of us have already experienced large increases in our credit card interest rates to cover higher expenses by banks and credit card issuers. I'm sure part of these higher expenses are the costs to re-issue credit cards after huge data breaches and to pay for the fraud.

The Associated Press article mentioned one example where it took a consumer four months to fix two credit cards that were hacked as part of the Hannaford grocery chain breach. And that didn't include the time spent to adjust online bill payment arrangements with those credit cards -- the work consumers must do and credit card companies don't help with after a data breach.

This means that retailers are more interested in making money and profits than a sincere effort to protect your sensitive personal data. Is this acceptable? Of course not. Can the retail and credit card industries do a better job? They should and must.

If this infuriates you (and I truly hope that this does make you mad), I encourage you to write to your credit card company and demand better data security, and not just fines of payment processors and retailers who are not PCI compliant. The address is on the back of your monthly credit card paper statement.

Then, write to your elected officials in Congress and demand both strong legislation to send to jail company executives who continue to ignore data security, stronger PCI standards, and an FTC policy that is stronger and more effective than the current self-monitoring policy.

Banks' And Credit Card Issuers React To The New Credit Card Law

Warning: adult language.

New Credit Card Laws. If you liked this video, watch this one about Citibank.

After A Data Breach, Will A Replacement Credit Card Affect Your Credit Score?

You've just received a replacement credit card. Perhaps, your new credit card was the result of identity theft, fraud, or a preventative action by your bank after the Heartland Payment Systems or RBS WorldPay data breaches. The questions is: will your replacement credit card affect your credit score? Bankrate.com reported:

"This is one of those instances where an account closure likely won't affect your score at all. With lost or stolen cards or data breach situations, an issuer will usually close the old account and specify a reason, such as reported lost or stolen, and open a new account for you. As long as the new account keeps the original open date and doesn't trigger a hard inquiry, the conversion shouldn't harm your score."

Experts suggest that your new credit card account should have the same open date as your original account, so you retain your payment history. The credit limit and balance for our new card account should remain the same, too.

When a consumer normally applies for a new credit card, the credit card issuer checks the consumer's credit report to see if the consumer is a good credit risk or not. This inquiry can ding (e.g., lower slightly) the consumer's credit score when a lender interprets the closed old card account as:

"... the credit limit loss can increase your credit card use."

If your replacement credit card is an account upgrade, this could affect your credit score.

Experts advise that if the credit report inquiry is issuer-initiated, then your credit score probably won't be affected. If the credit report inquiry is customer-initiated, then it will likely affect your credit score. After you receive your replacement credit card, it's wise to check your credit report to verify that the information in your credit report is accurate.

To me, a consumer should not have to worry about this; especially if the replacement credit card was the result of a data breach at either the credit card issuer, the bank, or a transaction processing firm like Heartland. It seems to me that once again, a company's carelessness causes consumers inconvenience and more work.

There has to be a better way. The current system seems unfairly tilted towards the needs of companies over the needs of consumers.

Another Consequence of the Heartland Data Breach

When banks and credit card issuers provide replacement debit/credit cards after a data breach, this negatively impacts the restoration of online payment arrangements by consumers. From the Washington Post:

"The data breach last year at Heartland -- a company that processes roughly 100 million card transactions a month for more than 175,000 businesses, has forced at least 600 banks to re-issue untold thousands of new cards in a bid to stave off fraud. For consumers, receiving a new credit or debit card number means contacting companies that have those credentials on file to charge for monthly or periodic bill payments. Less well understood, however, is the economic impact that large scale processor breaches and the inevitable waves of re-issues by banks may have on companies when customers simply fail to reset that automatic billing when they receive a new card number."

The WaPost story focuses on a company that is seeing a $1 million impact from the consumer card turnover. Multiply that by thousands of small and medium-sized business and you are describing a huge, on-going financial impact. The article explores some of the reasons why consumers don't restore their online payment arrangements with their new debit/credit cards:

"The trouble is that convincing customers who had once set up auto-billing to reestablish that relationship after such a disruption is tricky, as many people simply don't respond well to companies phoning or e-mailing them asking for credit card information..."

Like you, I am a consumer. My list of reasons why consumers don't restore their online payments with replacement debit/credit cards after a breach:

• Resentment: breaches inconvenience consumers. While banks and credit card issuers provide replacement cards, it is consumers that bear the burden -- time, effort, and money -- to contact retailers to restore online payment arrangements.
• Preoccupied: consumers are busy. Young parents are busy raising families. Professionals are busy with their jobs and business travel. The work to restore online payments is prioritized against other important household responsibilities. If the consumer has already experienced fraud on their card account, then even more work is required before they can restore online payment arrangements.
• Broken trust: breaches like Heartland's tell consumers that their bank -- or its contractor -- hasn't protected their sensitive personal data like they should. That causes consumers to not use their debit/credit cards.
• Lack of personal attention: a standardized, nameless form letter of notification tells consumers that their bank or credit card issuer is doing the absolute minimum, and probably doesn't care.
• Poor Customer Service: low online payment restoration rates are inevitable if the bank or credit card issuer's customer service is reactive or ill-prepared. This includes a bank's web site that is not updated or does not contain the necessary information to help consumers restore their online payment arrangements.
• Lack of transparent notification: when banks, credit card issuers, and processors like Heartland are slow or reluctant to release details about the breach, trust erodes. Consumers expect and deserve open, honest and direct communication. Poor communication causes consumers to conclude that breaches are likely to happen again. The attitude becomes: I won't bother to restore online payments because another breach is likely.
• Reduced access to credit: banks and credit card issuers have raised the interest rates on their cards, reduced limits, and imposed new or higher fees. These actions discourage consumers to use their cards.

As I reread this list, it occurred to me that this is also a pretty good list for consumers to use when deciding whether or not to switch their bank.

What do you think? If you have received a replacement debit/credit card after a breach, did you restore all of your online payments? And why, or why not?

Data Security: PCI Is Not Enough

This TechNewsWorld article should make consumers pause before your next visit to the mall to shop with your debit/credit cards:

"It's evident that PCI compliance is not enough to fully protect credit card transaction data. Major fiascos such as the infamous Heartland, RBS WorldPay and TJX data breaches will continue to occur unless the system is fixed. One possible solution? Protection that starts at the database level... Although the exact details of the Heartland breach and compliance issues have not been made public, it is widely believed that credit card data was exposed and non-compliant during its time on the Heartland server. It is staggering that retailers and others processing credit cards are required to protect all transactions in order to be in compliance with the points of PCI, yet once the transactions get to the "super-processors" such as Heartland, these requirements are apparently not systematically enforced -- or even required, at some points. The more data you handle, the lower the security bar, or so it seems."

To address this mess, Heartland is proposing end-to-end data encryption. I am a consumer and not a data security expert, so I have no idea if that will work, or if heartland is blowing more BS. Regardless, this trend seems very important:

"The more sinister threat environment, which has emerged over the past two years, involves well-organized criminal gangs that grab data with the sole purpose of using it fraudulently. The "2009 Verizon Data Breach Investigations Report" outlined the change, finding that 93 percent of all electronic records breaches occurred in the financial services industry, with 90 percent of the breaches tied to organized crime."

Now that consumers have been thoroughly warned and trained about phishing attacks (e-mail and Web sites), identity thieves have focused their attacks on sites where the money is: banks and retailers.

Why Banks And Credit Card Issuers Analyze Your Credit Card Purchases

Prior posts in this blog have discussed why banks and credit card issuers are raising the interest rates, lowering the limits, and changing the billing periods on your credit cards. This Sunday New York Times newspaper has a fascinating that explains how banks and credit card issuers make money, and why they do the infuriating stuff that they do to consumers.

Historically, banks and credit card issuers made money by:

"... collecting annual dues and interest payments from cardholders as well as fees from merchants each time a customer used a card."

This money-making approach changed when:

"... the math whizzes arrived. They emphasized that the biggest profits didn’t come from people who always paid off their bills but rather from less-responsible clients who never paid their entire balance, and thus could be milked through silently skyrocketing interest rates, late fees and other penalties."

To make more money, the banks and credit card issuers changed their habits about who they marketed their credit cards to. The result:

"Since 1995, the percentage of the industry’s income from cardholder fees has more than doubled to 40 percent. In 2005, as the push to sign up cardholders peaked, the industry sent out more than 10.2 billion credit-card solicitations, which would cover more than the entire world’s population. Two years later, card companies collected $40.7 billion in profits before taxes... Americans carry an average of 5.3 all-purpose cards in their wallets, and the average household has $10,679 in credit-card debt..."

So, the banks and credit card issuers want as customers people who will steadily pay part of their monthly credit card bills. To find these "right" customers, the banks and credit card issuers needed to distinguish between the less-responsible customers who they could make money from (e.g., people who steadily pay part of their monthly credit card bills), from the less-responsible customers who would be dead-beats (e.g., never pay their credit card bills). To accomplish this:

"The exploration into cardholders’ minds hit a breakthrough in 2002, when J. P. Martin, a math-loving executive at Canadian Tire, decided to analyze almost every piece of information his company had collected from credit-card transactions the previous year... Martin could often see precisely what cardholders were purchasing, and he discovered that the brands we buy are the windows into our souls — or at least into our willingness to make good on our debts. His data indicated, for instance, that people who bought cheap, generic automotive oil were much more likely to miss a credit-card payment than someone who got the expensive, name-brand stuff. People who bought carbon-monoxide monitors for their homes or those little felt pads that stop chair legs from scratching the floor almost never missed payments. Anyone who purchased a chrome-skull car accessory... was pretty likely to miss paying his bill eventually."

How accurate was this analysis?

"Martin’s measurements were so precise that he could tell you the “riskiest” drinking establishment in Canada — Sharx Pool Bar in Montreal, where 47 percent of the patrons who used their Canadian Tire card missed four payments over 12 months. He could also tell you the “safest” products — premium birdseed and a device called a “snow roof rake”... Martin’s predictions, when paired with other commonly used data like cardholders’ credit histories and incomes, were often much more precise than what the industry traditionally used to forecast cardholder riskiness."

Now we know why banks and credit card issuers analyze your credit card purchases. (Bye bye privacy.) Your purchases indicate whether you will be a profitable or unprofitable customer for them; whether you will pay your monthly credit card bills on time and in full, partially, are a slow payer, or a true deadbeat.

Last year, I wrote about how Wall Street considers many consumers as chumps. That still seems to be Wall Street's attitude today, since banks and credit card issuers don't really want as customers people who pay their monthly billls in full and on time. Rather, they want customers who pay part of their credit card bills, often pay it late, never consider that everything costs more when using their credit cards this way, and don't change their financial habits.

Heartland Goes On The Offensive After It Suffers The Largest Breach Ever

Various news reports pegged the breach at 100 million consumer records, larger than the TJX Cos. / T.J. Maxx breach. What is Heartland doing? PC World: reported:

"... Robert O. Carr, chairman and CEO of Heartland, has come out swinging... Carr has been pointing the finger at the payment industry itself for not going far enough with best practices. Heartland has taken advantage of several merchant associations to promote new initiatives that could revolutionize the payment card industry beyond PCI DSS compliance... Heartland is in the process of developing a true end-to-end (E2E) encryption solution for its merchants. What's different is that Heartland wants to be the first payment processor to ensure that data remains encrypted all the way from the point of sale through the processing by the card company."

That all sounds very nice. My question is this: why didn't Heartland pursue stronger data security methods sooner? Why did the company wait until after the largest data breach ever to decide to pursue stronger data security measures?

The tough stance by Heartland sounds like that old saying: the best defense is a good offense. It's an attempt to keep people focused on the new PCI-DSS guidelines, rather than focus on the hundreds of millions of consumer records stolen during the Heartland breach.

Remember, after the breach Visa and MasterCard had removed Heartland from their list of PCI-DSS approved vendors. And the notification to consumers has been less than optimal. About May 6, Heartland was added back to the list of PIC-DSS approved vendors. And:

"... at least MasterCard also imposed a hefty fine on banks using Heartland. The company also faces a class action lawsuit. Separately, Carr himself is under investigation from the SEC regarding a stock sale he made late in the 2008."

Don't feel bad for Heartland. The company is getting the appropriate consequences. The breach has cost Heartland $12.6 million so far in legal costs and fines from Visa and MasterCard.