In a filing with the Securities and Exchange Commission, Heartland Chairman and CEO Robert Carr acknowledged the claims that cardholders, card issuers, the credit card brands, regulators, and others have asserted, or may assert, against the payment processor as a result of the breach and the impact it could have on the business. Several class action lawsuits have been filed against Heartland, claiming that the payment processor issued belated and inaccurate statements when it announced a security breach of its systems. Carr He said the company could not "reasonably estimate the potential impact of the breach on the day-to-day operations" of the business.
"We intend to vigorously defend any such claims and we believe we have meritorious defenses to those claims that have been asserted to date," Carr said. "At this time we do not have information that would enable us to reasonably estimate the amount of losses we might incur in connection with such claims."
The Princeton, N.J.-based payment processor announced Jan. 20 that its systems were breached last year when intruders installed malware to pilfer data crossing the company's network. Since then, Sherriff's authorities in Tallahassee, Fla. arrested three suspects for using stolen credit card numbers to make purchases at local Wal-Mart stores. The credit card numbers used by the trio were allegedly stolen from the Heartland processing center in New Jersey.
Carr said the company's sales force was doing well despite the obvious challenges caused by the combination of the downturn in the economy and the data security breach. The payment processor's current customer base has responded positively, he said.
"In the weeks since our announcement of the breach, we have installed more margin, and have a bit less merchant attrition, than in the same period in 2008," Carr said.
Despite the breach and the current economic conditions, the company expects revenue to grow by 12-16% in 2009. The company said its guidance to financial analysts and investors does not include estimates for potential losses, costs and expenses arising from the data security breach.
In the SEC filing, Carr also reiterated his earlier call for pursing efforts for the development of industry-wide implementation of end-to-end encryption. The goal would be to design protection standards that could protect data at rest as well as in motion, Carr said.