Digital Transactions Authoritative, insightful and timely information for payments professionals
Merchant acquirer Heartland Payment Systems Inc. cleared away probably the single biggest remaining matter from the huge data breach it disclosed a year ago by announcing a $60 million settlement with Visa Inc. on Friday. The settlement will cover losses Visa credit and debit card issuers incurred in the wake of the breach that a federal prosecutor said might have compromised up to 130 million cards. Heartland still faces lawsuits and numerous government investigations, as well as possible settlements with MasterCard Inc. and Discover Financial Services. But with Visa being the biggest card network, the settlement clearly moves Heartland well along in its effort to put the breach, which damaged its reputation and stock price, behind it. Investors clearly were happy; Heartland's stock price jumped nearly 11% late Friday morning over Thursday's close. Heartland will bear $59.22 million of the costs, but Visa will refund $780,000 in fines it assessed to Heartland's sponsor banks after the breach, according to a regulatory filing Heartland made Thursday. Sponsor banks typically pass such network fines on to their third-party processors. Heartland's main sponsor bank is Cleveland-based KeyCorp, though it has two others, SunTrust Banks Inc. and Heartland Bank, the latter of which is not affiliated with the processor. Only KeyCorp and Heartland Bank were fined by Visa. Princeton, N.J.-based Heartland Payment Systems will take out a loan of at least $53 million loan to fund its settlement expenses, according to the filing. The agreement with Visa is subject to a number of conditions, including acceptance by issuers representing at least 80% of the affected accounts. Visa will make settlement offers to eligible issuers on Jan. 14. Issuers then must file claims by Jan. 29 to make recoveries. The expenses card issuers bear after data breaches include actual fraud, reissuance of cards confirmed or feared to be compromised, and customer service. “We are pleased to have reached a fair settlement agreement that helps issuers obtain a recovery with respect to losses they may have incurred from the intrusion,” Heartland chairman and chief executive Robert O. Carr said in a news release. “At Heartland, we are also committed to helping issuers?as well as all stakeholders in the payment ecosystem?mitigate future risk. We have assumed a leadership position in the development of enhanced data security and fostering the sharing of information.” A Heartland spokesperson declined further comment. Heartland has embarked on a big initiative to encrypt transactions to prevent future breaches. Also in the release, Visa chief enterprise risk officer Ellen Richey said, “We believe issuers will benefit by participating in this settlement program because it offers an immediate recovery with respect to losses they may have incurred from the Heartland intrusion. Helping financial institutions mitigate costs after a data security breach has been a long-standing component of Visa's security strategy, along with promoting new security technologies, preventing fraud, and leading efforts to secure sensitive data across the entire payment system.” In the TJX Cos. breach, the biggest card breach until Heartland's, TJX settled with Visa on behalf of Visa issuers for $40.9 million (Digital Transactions News, Dec. 19, 2007). TJX's total costs exceeded $100 million. Heartland, which recently settled breach issues with American Express Co. for $3.54 million, had reported $105.3 million in pre-tax breach expenses as of Sept. 30, 2009, and in that month created an $82.9 million settlement reserve. Heartland also has settled consumer lawsuits filed after the breach for between $1 million and $2.4 million (Digital Transactions News, Dec. 22, 2009). Gartner Inc. security analyst Avivah Litan has estimated the Visa issuers' losses at about $50 million, not including customer-service expenses. “It seems like a very fair settlement,” Litan tells Digital Transactions News. “It seems like it reflects the actual losses.” The hacker federal prosecutors say was behind the Heartland, TJX and other big card breaches in recent years, Albert Gonzalez of Miami, pleaded guilty last month in U.S. District Court in Boston to two charges. Sentencing is scheduled for March.
