Heartland to Release Breach News?Though When It Can’t Say

Heartland Payment Systems Inc. will be releasing additional information on the recent data breach of one of its payment-processing platforms, though “I can't tell you how soon,” says Robert Carr, Heartland's chief executive. The Princeton, N.J.-based merchant acquirer in January announced that malicious software, or malware, had been secretly planted on one of its payment-processing platforms. Heartland said it learned late last fall of a possible breach?in which unencrypted card numbers were captured during the authorization process?but that it took until January to actually find the malware program. The platform on which the malware was planted was not being used at the time the investigators found the malicious software. Heartland still is trying to determine how many card accounts were potentially compromised during the breach and to what extent fraud occurred, Carr says. Potentially exposed during the breach were account numbers, expiration dates, and other magnetic-stripe data. However, the cardholder information Heartland processes does not include addresses or Social Security numbers, he says. Visa's latest list of processors compliant with the Payment Card Industry data-security standard no longer includes Heartland or RBS Worldpay, another big merchant processor that disclosed a major data breach late last year (Digital Transactions News, Dec. 23, 2008). Visa posted the new list on Thursday. “Recently, Heartland Payment Systems and RBS WorldPay publicly disclosed unauthorized access to their systems resulting in the compromise of card account information from all major card brands,” Visa said in a statement. “Based on compromise event findings, Visa has removed Heartland and RBS WorldPay from its list of PCI DSS compliant service providers … Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a qualified security assessor. Visa will consider relisting both organizations following their submissions of their PCI DSS reports on compliance.” Visa would not comment further. Heartland reportedly is processing on probation, which means it must meet stricter Visa security reviews, and Visa plans to fine its sponsoring banks, according to a published report. Spokespersons for neither Heartland nor RBS were available for comment early March 13. The breach also is under investigation by the U.S. Federal Trade Commission, the Office of the Comptroller of the Currency, the Security and Exchange Commission, and the Department of Justice. Disclosure of the data breach has overshadowed the company's operations since January, but Heartland hasn't seen any increase in merchant attrition, Carr says. In the four weeks following the announcement of the breach, “our attrition in each of those weeks is actually lower than the same period last year,” he says. “We think that's because our sales organizations have been energized to go out and talk about the breach with all of our customers.” And while Heartland may have “lost a few merchants, we have kept more this year that we did last year, and the economy's been pretty lousy,” Carr adds. “We think we've been able to counteract it.” Heartland processes for about 250,000 merchant locations. Heartland last week announced that Carr and his wife, Jill, were forced to sell 692,412 shares of the company's common stock to meet obligations under a loan for which the shares were pledged as security. The stock sales occurred around the time the breach was originally discovered but before it was publicly announced, raising speculation that Carr was attempting to cash out his shares before prices fell. Fueling that speculation was Heartland's announcement that the SEC also was investigating circumstances surrounding the breach. Carr declined to discuss the SEC investigation, referring instead to a March 2 press release. In the release, Carr says the stock sale was involuntary. “This forced sale is precipitated by the mix of extraordinary circumstances confronting Heartland and the recent drop in its stock price,” he says. “Unfortunately, I had no ability to stop the sales by my lender.” Carr also said that the sale “does not in any way reflect my view of the company's value and future performance potential. My confidence in Heartland remains strong, and I am enthusiastic about re-establishing my ownership position in the company over the months and years to come.”