Thinking more about this...it could occur somewhat frequently. Merchant notifies credit card company that system has been hacked or potentially hacked. Credit card company notifies bank directly or through processor and provides list of potential victims of the bank.
Is my understanding correct that a SAR is only required if the total amount of loss (individually or all customers together) is greater than $25,000 and suspects are unknown? If suspect is known then dollar limit is $10,000.