in my case, Visa has let our institution know and has kept us informed in the developments.

We had 700 cards impacted and we lowered transaction limits on POS items to $0 and sent a letter to the customer explaining that we have requested new cards for them and they should receive in 8-10 days. They can still get cash at an ATM, but cannot transact any POS items until their new cards arrive and are activated.

smcfarland, VISA let us know. Depending on who the servicer of your debit cards are (Visa versus MC), they should let you know if any of your customers cards may have been compromised.

"It all depends on whose ox is being gored."

If we have customers that are worried their cards may have been comprised during this TJX security breach, would they be allowed to put a fraud alert on their credit report without actual knowledge that they may be a victim of identity theft? I didn't know if the FACT Act allowed for this or if it was mainly for people who are victims of identity theft.

Consumers may put an initial ID theft alert on their files, which is valid for 90 days. I was able to do this when I learned that NPPI from my former employer (a Federal agency) had been compromised.

So, are you reissing on expired cards also?

we are not reissuing on expired cards or any of the cards from the 2003 files. Since all of ours have reissued since the point of compromise the track data that was compromised is no longer valid and therefor not at risk.

1.) We make an attempt to contact customers via phone.

2.) We send a letter, advising customers of the security breach by a third party vendor; that we share their concern for their financial safety; that we take these threats seriously; and various instructions on what to be aware of...

3.) Each of the forms of contact are recorded.

4.) Cards are closed as soon as customers are notified.

5.) New cards and PINS are issued, at no cost to customers.

Great info. One thing not addressed. Are there any requirements by the regulators? We have a response program in place, however it does not address third party incidentes such as this one.