Heartland Payment Systems to vigorously defend breach claims, CEO says

By Robert Westervelt, News Editor 24 Feb 2009 | SearchFinancialSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchFinancialSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In a filing with the Securities and Exchange Commission, Heartland Chairman and CEO Robert Carr acknowledged the claims that cardholders, card issuers, the credit card brands, regulators, and others have asserted, or may assert, against the payment processor as a result of the breach and the impact it could have on the business. Several class action lawsuits have been filed against Heartland, claiming that the payment processor issued belated and inaccurate statements when it announced a security breach of its systems. Carr He said the company could not "reasonably estimate the potential impact of the breach on the day-to-day operations" of the business.

Heartland breach news timeline: Jan. 21: Payments processor discloses massive data breach - Company says an intrusion of its processing system may be part of a broader fraud operation. Jan. 28: Credit unions, banks replace credit cards after Heartland breach - Financial institutions notify customers and reissue or block payment cards affected by the intrusion at payment processor. Jan. 28: First lawsuit filed in Heartland data security breach - A class action lawsuit was filed against Heartland claiming that the payment processor issued belated and inaccurate statements when it announced a security breach of its systems. Feb 13: Three men arrested in connection with Heartland breach - Trio arrested in Florida after allegedly using stolen credit card numbers for purchases at local Wal-Marts, officials said. Commentary: Heartland breach highlights PCI limitations: The benefits of complete PCI and the necessity of full compliance are now being widely questioned, says Eric Ogren, principal analyst, The Ogren Group.

"We intend to vigorously defend any such claims and we believe we have meritorious defenses to those claims that have been asserted to date," Carr said. "At this time we do not have information that would enable us to reasonably estimate the amount of losses we might incur in connection with such claims."

The Princeton, N.J.-based payment processor announced Jan. 20 that its systems were breached last year when intruders installed malware to pilfer data crossing the company's network. Since then, Sherriff's authorities in Tallahassee, Fla. arrested three suspects for using stolen credit card numbers to make purchases at local Wal-Mart stores. The credit card numbers used by the trio were allegedly stolen from the Heartland processing center in New Jersey.

Carr said the company's sales force was doing well despite the obvious challenges caused by the combination of the downturn in the economy and the data security breach. The payment processor's current customer base has responded positively, he said.

"In the weeks since our announcement of the breach, we have installed more margin, and have a bit less merchant attrition, than in the same period in 2008," Carr said.

Despite the breach and the current economic conditions, the company expects revenue to grow by 12-16% in 2009. The company said its guidance to financial analysts and investors does not include estimates for potential losses, costs and expenses arising from the data security breach.

In the SEC filing, Carr also reiterated his earlier call for pursing efforts for the development of industry-wide implementation of end-to-end encryption. The goal would be to design protection standards that could protect data at rest as well as in motion, Carr said.

Tags: Data breaches and prevention strategies,  SEC and FDIC regulations,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data breaches and prevention strategies Bank computer technician indicted in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000 RBS WorldPay agrees to market VeriFone end-to-end encryption SEC and FDIC regulations SEC cracks down on kickback schemes SEC: 404 budgets filled with waste SEC suspends trading of 35 companies over spam SEC document offers clues on TJX security failings FFIEC impact so far

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary