The Washington Post reported Tuesday that if the estimate is correct, the incident last year would be one of the largest data breaches ever reported.
The Princeton, N.J., company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants that use their service, said Robert Baldwin, Heartland's president and chief financial officer.
While declining to disclose what well-known establishments were affected, he said 40 percent of transactions the company processes are from small to midsized restaurants.
"No merchant of ours represents even (0.1 percent) of our volume, and to put out any name associated with what is obviously an unfortunate incident is not fair," he was quoted as saying.
Baldwin said Heartland called the U.S. Secret Service and hired two breach forensics teams to investigate the breach.
Last week, investigators determined that a piece of malicious data recording software planted on the company's payment processing network was to blame.