Just a comment on pins:
For a 4 digit pin, there's only a thousand variations, and a decent hack program can run through them rather quickly. Sometimes only a minute or two. Perhaps less. Even if the card # is obtained elsewhere. This is an example of how long some of these software hack wars last. Again, the banks are at war on this stuff.
Note my earlier comment of no pins and isolating accounts from other accounts.
Originally Posted by Unique_Carpenter
There are 10,000 variations, not 1,000, and just about every bank in the world is going to shut off the card once you start trying multiple PIN numbers.
In all likelihood, based on the OP's information, this would be a BoA issue, however I doubt it, because there has been no breach notification by them, if a single card was compromised, likely all BoA cards would be.
The likelihood of it being a store / merchant breach are VERY VERY small, IF the PIN was actually compromised. Merchants NEVER get your PIN number, they can't see or store it in the clear. The PIN is encrypted at the device you type it into, and is only decrypted at the bank when the transaction is authorized. In very rare cases retailers will store the encrypted version of the PIN, but that has become very very rare with the changes in compliance regulations.
Most likely your card number was compromised at a retailer, BoA's fraud department caught an attempted charge, and froze your card, and when they notified you, they went through the standard speech of were issuing a new card and you need to change your PIN just in case. The number of retailers that have been breached for card data is actually pretty large since the Target hack in late 2013 (Target, Home Depot, Jimmy Johns, Sally Beauty, Dairy Queen, Albertsons / Jewel Osco, Orange Julius, Goodwill, Harbor Freight, KMart, MAPCO gas stations, Michaels / Aaron Bros, Neiman Marcus, PF Changs, Park and Fly, Numerous other airport parking vendor, Schnucks, Spec's, Supervalue Grocery, The Taste Buds, UPS Stores, White Lodging hotel management, and about 1,000 unnamed mom and pop retailers - and this is not a comprehensive list.)
If you dont know the PIN and the PIN truly WAS compromised, then it was something internal to BoA, but not large enough of an issue to warrant a breach notification on the scale that you would expect. More likely would be someone at BoA grabbing card numbers and PIN's here and there and trying to make out with some money, but even that seems slim. I just have a hard time believing the PIN was actually compromised (I believe you, just not them.)