Heartland Hit by Drop in Same-Store Sales, But Encryption Moves Ahead

A record decline in same-store sales and a $19.4 million charge for costs related to its data breach put big merchant acquirer Heartland Payment Systems Inc. into the red during the second quarter. But Heartland executives on Tuesday pointed to bright spots, and also said their post-breach efforts to develop end-to-end data encryption are going full speed ahead. Same-store sales among merchants with Heartland at least a year declined for a fifth straight quarter by a record 9.7%, chairman and chief executive Robert O. Carr told analysts in a conference call. This is in line with a general drop in card-based same-store sales among small and medium-size merchants affecting acquirers across the industry (Digital Transactions News, July 30). Debit card dollar volume rose 8% in the quarter while credit card volume fell by 7%?a pattern similar the big pictures Visa Inc. and MasterCard Inc. painted in their latest quarterly reports (Digital Transactions News, Aug. 3). Charge volume of $15.2 billion from Heartland's small and mid-sized merchant segment was off by 0.6% from 2008's second quarter, but there were upsides. So-called organic revenues from both card and non-card services these merchants bought from Heartland rose 4.9%. And the Network Services portfolio of mostly petroleum and convenience store merchants that Heartland bought last year from Alliance Data Systems Corp. generated 728 million transactions. As they reported last quarter, Heartland's top brass said the breach has not caused merchants to defect to other acquirers. Merchant attrition is staying stable in the 22%-23% range, according to chief financial officer Robert H.B. Baldwin Jr. “It's clear the economy … has merchants in survival mode,” Carr said, a mindset he said has turned their attention away from shopping for payment processors. Heartland also hasn't suffered any unusual attrition in its sales force, Carr added, though he said veteran sales people are hurting from the downturn in new business formation and the lack of merchant expansion that normally would bring them residual income. The breach-related charge arose mostly from a proposed settlement Heartland is making to resolve certain claims. The company, which is facing numerous lawsuits arising from the breach, said it could not give details, nor would it project future breach-related expenses. Heartland still hasn't revealed the size of the breach that it first reported just over six months ago (Digital Transactions News, Jan. 20). Based on Heartland's massive merchant portfolio and charge volumes, however, observers quickly assumed it was one of the biggest ever in the payment card industry. So far this year Heartland has set aside $32 million for breach expenses. Since the breach, Carr has become the apostle of end-to-end data encryption during the transaction process. Current processing procedures leave magnetic-stripe data exposed for a fraction of a second, a vulnerability that hackers have exploited in Heartland's and other breaches. Not only is Heartland spearheading efforts to upgrade security standards industrywide, it also is proceeding with an effort it calls E3 that includes a proprietary new secure terminal dubbed TRSM, for tamper-resistant security module. On June 30, Heartland announced it had successfully completed the first phase of an end-to-end encryption test involving transactions sent from a Texas merchant from credit, debit, and prepaid cards on the major card networks. Now Heartland is testing E3 at 10 merchant locations. On Tuesday, Carr said he expects to have E3 in the market by year's end. Carr said he believes Heartland will sell its terminal for under $500. But, in response to an analyst's question, he said Heartland is working with all the major terminal manufacturers and is not looking to offer its own terminal exclusively. Heartland reported a net loss of $2.62 million in the second quarter compared with an $11.5 million profit a year earlier on total revenues of $417.4 million, up 5.8% from $394.6 million. Revenues net of interchange and related network fees and other expenses rose 14.1% to $106.6 million from $93.4 million a year earlier. Adjusted net income that factors out the breach expenses was $9.32 million compared with $14.7 million in 2008's second quarter.