We have a Citi MasterCard that was one of the (apparently) hundreds of thousands whose security was compromised in the recent Heartland Security Breach.

I’d heard the news about the breach, but the first sign I had that we were involved was when I tried to use the card for an online purchase. No email, no phone call, nothing from Citi regarding the problem. When the transaction failed three or four times I knew it wasn’t the vendor website’s fault, so I checked my Citi account online. There I saw a bright red warning that my account had been shut down because of risk of compromise.

When I called (this was back on February 20th or so, I think) to complain about the lack of notice, the customer service representative explained that Citi had no time or resources to notify all the cardholders, especially given the scale of the possible breach, but had rather acted to place all the possibly compromised accounts on hold as soon as they could. I was told they had issued new cards with new account numbers, at no charge to any of us, and that the new card would be here shortly.

Well, we got the new card, and we activated it and set up online access.

Interesting thing we discover, which (aside from the general lack of coverage of the Heartland fiasco in the press and blogosphere) is why I’m bothering to write this: a strange charge we didn’t recognize, with code TOTAL SEC BALANCE TRANSFR-ITEMIZED. The amount charged ($99) was the same as the new charges that had accrued on the old account before the transfer, but “99″ is one of those numbers that makes you wonder about intentional design. In any case, this clearly implied we had either been double-charged, or charged an extra and unauthorized $99 fee.

So I got back on the phone and called customer service just now, and spoke with Jim. He explained to me that TOTAL SEC BALANCE TRANSFR-ITEMIZED was a “system message”, which represented (as it seemed) the sum of items booked to the old closed account just before the new one was set up. He explained it was an “accounting quirk in their system”, and that it would disappear at the beginning of the next billing cycle. Merchants had authorized $99 worth of charges right before the account was closed and balances were transferred, and the mysterious line item indicated the transition from “authorization” to actual charge. Jim explained that generally this transition removes the authorization charge from the billing system, but because the account changed in the interim period, the charge accrued on the new account but the authorization couldn’t be removed from the old one (or something like that). He pointed out (very helpfully) that if my card had been misplaced or stolen, the same dynamics would have kicked in there, too, and the same sort of transactions would have happened.

This got me thinking. It may be ephemeral, a “quirk of the system”, but nonetheless on the books and until the authorization is cleared I owe an extra $99 to Citi. It’s mere coincidence of timing that our account came to $99. But it seems highly likely (given the several-days typical delay between authorization and charge in many merchants’ transactions) that any regular cardholder might have one or more transactions spanning a period like this.

So here we have hundreds of thousands, or millions of credit card accounts, all compromised and all synchronously being transferred to new accounts. What fraction of those had interrupted transactions spanning the synchronized transfer, resulting in these TOTAL SEC BALANCE TRANSFR-ITEMIZED “system messages”?

The numbers are hard for me to even estimate with the information I have on hand (though Jim did allow it was “really a lot” of cards). Seems big.

The thing I have to wonder about is: just at this crucial juncture in the financial crisis, when the company is under the closest scrutiny in decades and the stock is suffering from massive loss of investor faith, Citi has double-booked a sizable Accounts Receivable sum.

And probably not just Citi….