Heartland Payment Systems and MasterCard Settle on data breach

Princeton, NJ May 19, 2010 Heartland Payment Systems® (NYSE: HPY), the nation’s fifth largest payments processor, has entered into a settlement agreement with MasterCard Worldwide to resolve claims from MasterCard and its issuers related to the 2008 criminal intrusion into Heartland’s payment system environment. Under the agreement, alternative recovery offers totaling $41.4 million will be made to eligible MasterCard issuers with respect to losses alleged to have been incurred by them as a result of the criminal intrusion, and MasterCard will recommend that eligible MasterCard issuers accept such offers.

Bob Carr, Heartland’s chairman and chief executive officer, stated, “We are pleased to have reached an equitable settlement agreement that helps issuers of MasterCard-branded cards obtain a recovery with respect to losses they may have incurred from the intrusion. We look forward to working with MasterCard to encourage these issuers to participate in the settlement program for a speedy resolution.”

The settlement is contingent upon financial institutions representing 80 percent of the claimed-on MasterCard accounts accepting their alternative recovery offers by June 25, 2010. The settlement also includes mutual releases between Heartland and its sponsoring bank acquirers on the one hand and MasterCard and the accepting issuers on the other. Issuers that accept their alternative recovery offers must waive rights to any other recovery of alleged intrusion-related losses from Heartland and its sponsoring bank acquirers through litigation or other remedies and release MasterCard, Heartland and its sponsoring bank acquirers from all legal and financial responsibility related to the intrusion.

All eligible issuers will soon receive notification from MasterCard with full details of the settlement agreement and how to accept their alternative recovery offers before the offers expire.

Visa removes Heartland from PCI Compliant list

Heartland Payment Systems has been removed from Visa’s list of PCI DSS compliant service providers. This is not in response to anything new, but rather in response to a review of what is arguably one of the largest data breaches ever, the Heartland Data Breach. Heartland is actively working on revalidation of PCI DSS compliance using a Qualified Security Assessor. Visa will consider relisting following the submission of their PCI DSS report on compliance.

Heartland Payment Systems is currently on probation which means they must meet more stringent security requirements than usual.

Interestingly, Robert Carr reports on the official company data breach site that as part of their undergoing their current audit, “Many of the firm’s recommended enhancements to our security have already been implemented, and others will be as part of the current audit.” Of course, I’d be surprised if any company wouldn’t get suggestions for improvement. But they’ve had months to identify and fix problems and you have to wonder why if they were fully compliant before, they would still be identifying problems at this stage.

Heartland Payment Q4 below St. view, stock sinks to all time low

Feb 24 (Reuters) – Heartland Payment Systems Inc (HPY.N) posted a lower-than-expected quarterly profit, cut its quarterly dividend by 72 percent and said it might incur losses from the recent security breach of its system, sending its shares to a lifetime low.

The company, which provides payment services to banks, said at this point of time it cannot estimate the amount of losses that might be incurred in connection with any claims made against the security breach.

It also forecast 2009 earnings below market expectations and slashed its quarterly dividend to 2.5 cents a share to preserve cash.

Shares of the company fell about 28 percent to touch a low of $5.51. They were down $1.88 at $5.77 in afternoon trade on the New York Stock Exchange.

Net income for the fourth quarter was $8 million, or 21 cents a share, compared with $6.8 million, or 17 cents a share, a year ago. Its quarterly profit, however, fell short of the average analyst’s estimate of 26 cents a share.

Total revenue rose 13 percent to $385.9 million, but was below the market expectation of $397.3 million.

For the full year, the credit-card processing company expects to earn $1.15 to $1.22 a share, which was below analysts’ expectations of $1.23 a share. It sees net revenue of between $430 million and $445 million for 2009.

“Clearly our biggest challenge in 2009 will arise from the system breach we suffered,” said Chief Executive Robert Carr, adding that the company will defend any claims that arise against the breach.

Last month, Heartland reported a system breach and stealing of credit card information by cyber thieves in 2008, and said cardholders would not be held responsible for unauthorized, fraudulent charges made by third parties.

Are small transactions on my ecommerce site from stolen card testing ?

There are increasing reports of ecommerce businesses reporting small transactions online- usually for a couple of dollars. Consumers have reported similar transactions on their statements, for purchases not made by them. In both cases, they are tied to stolen credit card data.

Some credit card issuers have taken a very aggressive stance in identifying these types of transactions, including developing special algorithms, and are calling consumers to tell them about suspected fraud. Their cards are being replaced at no cost to consumers. Reports of these transaction types have been increasing since late December.

Are they related to the Heartland Payment Systems data breach? Some banks are automatically replacing all cards issued if they have a Heartland relationship. Specific tie-ins to the $1 and $2 transactions have not been made public yet, but the timing seems to match up.

RECOMMENDATIONS

arrests made in Heartland data breach?

Three men in Florida were arrested earlier this week on multiple charges of credit card fraud, and some of the card numbers they allegedly used are tied to the Heartland hack.

The Leon County, FL. Sheriff’s office arrested area residents Tony Acreus, Jeremy Frazier and Timothy Johns, who had allegedly used stolen credit card numbers since November, according to Sgt. Tony Drzewiecki,
spokesman for the sheriff’s office.

According to the Tallahassee, FL. Democrat, the suspects were running “a very sophisticated and complex criminal enterprise.” Law enforcement is investigating how the three men were able to obtain credit card numbers
from the Heartland breach, which was first announced on January 20.

NOTE: The above article and similar ones are being posted around the internet. Is it true? I have found no evidence yet that it is. Here is the official press release regarding the arrest- no connection to the Heartland Data Breach is mentioned.

Leon County Sheriff’s Office, Tallahassee Police Department and United States Secret Service Shut Down Stolen Credit Card Ring