Continuing its massive clean-up in the wake of the payment card industry’s biggest data breach, merchant acquirer Heartland Payment Systems Inc. late on Wednesday announced a $41.4 million settlement with MasterCard Inc. The settlement will reimburse MasterCard debit and credit card issuers for their costs stemming from the breach Heartland disclosed in January 2009.
Heartland has already settled with Visa Inc. for about $60 million and American Express Co. for $3.54 million (Digital Transactions News, Jan. 8). That leaves Discover Financial Services as the only major U.S.-based card network with whom Heartland hasn’t announced a settlement. The U.S. attorney for New Jersey estimated the breach compromised 130 million payment cards. Several defendants, including notorious computer hacker Albert Gonzalez, have been convicted on federal charges in connection with Heartland’s and other big data breaches.
Heartland’s MasterCard settlement is contingent upon approval from issuers representing 80% of the affected MasterCard accounts. The Visa settlement had a similar 80% threshold, which issuers approved. MasterCard will make its so-called “alternative recovery offers” to issuers on May 27; issuers have until June 25 to accept them, according to a Heartland filing with the Securities and Exchange Commission. The agreement also provides that those issuers accepting a recovery release Heartland and its sponsor banks, Cleveland-based KeyBank and St. Louis-based Heartland Bank (no relation to the processor) from further breach-related claims. Heartland must obtain a loan of at least $30.7 million to fund its obligations under the settlement.
According to the Heartland filing, MasterCard will credit the settlement pool with $6.6 million in “non-compliance assessments”—network fines—that it charged Heartland’s sponsors, which those banks passed on to Heartland. That means the maximum Heartland will have to fund for the pool will be $34.8 million.
Neither Heartland nor MasterCard would comment about the settlement beyond their respective news releases. Like AmEx and Visa, MasterCard didn’t say how many of its card accounts sustained breach-related fraud losses, or how many cards its bank and credit-union clients reissued as a precaution. Gartner Inc. security and technology analyst Avivah Litan tells Digital Transactions News by e-mail that based on estimated replacement costs of $14 to $20 per card, “it would appear from this settlement that MasterCard could only prove that some 2–3 million of their cards actually had fraud losses and had to be reissued with new accounts.” She adds that, “it’s good that Heartland is finally settling with MasterCard so it can begin to put this matter behind them.”
Robert O. Carr, Heartland’s chairman and chief executive officer, said in his company’s release that, “We are pleased to have reached an equitable settlement agreement that helps issuers of MasterCard-branded cards obtain a recovery with respect to losses they may have incurred from the intrusion. We look forward to working with MasterCard to encourage these issuers to participate in the settlement program for a speedy resolution.”
“We feel that this settlement represents an appropriate and fair resolution for our issuing financial-institution customers and will enable them to avoid uncertainties and delays associated with potentially protracted litigation,” Wendy Murdock, chief franchise officer for MasterCard, said in MasterCard’s release. “The agreement underscores MasterCard’s continuing efforts to maintain the integrity of payment card industry standards and mitigate the impact of account data compromise events.”
MasterCard says issuers that refuse their offers will have their claims “determined pursuant to MasterCard’s internal processes,” and may receive more or less than they were offered, or nothing at all. Recoveries will depend on various factors, including “MasterCard’s determinations of their claims and the outcome of any litigation that Heartland may file, and has threatened to file, to challenge claim awards that exceed certain amounts,” the release says.
Issuers that accept their MasterCard settlements can expect payment in the third quarter, according to MasterCard. Since announcing the data breach 16 month ago, Heartland had expensed $108.7 million in breach costs, net of insurance recoveries, through March 31.