14 DAY TRIAL // During a conference-call yesterday regarding the Q1 earnings of Heartland Payment Systems, the company's CEO, Robert Carr, revealed that the company spent over twelve and a half million dollars so far, as a direct result of the data breach incident disclosed in January. He also announced plans to introduce end-to-end encryption for transaction processing in the second half of the year.
Heartland Payment Systems is one of the largest payment processors in the United States, serving over 250,000 merchants across the country. On January 20, the company announced that unknown attackers had penetrated its network's security and accessed transaction data. The intrusion was detected during an internal investigation prompted by notifications sent by MasterCard and Visa, regarding fraudulent activity on some cards processed by the company.
Because of the incident, in mid-March, Heartland was removed from both Visa's and MasterCard's lists of providers compliant with the Payment Card Industry's Data Security Standard (PCI DSS). "We are very pleased to report that we have recently been recertified PCI DSS compliant after being evaluated by a quality security assessor and have been returned to Visa’s and MasterCard’s lists of PIC compliant service providers and Discover has also accepted Heartland’s compliance report," Robert Carr told the analysts participating at yesterday's conference-call.
The company reported a GAAP loss of $2.5 million for the first quarter of 2009, but that's partially because of legal and other expenses associated with the data breach incident, which totalled $12.6 million. "Excluding expenses directly attributable to the processing system intrusion, net income would have been $5.4 million or $0.14 per diluted share," Bob Baldwin, Heartland's president and CFO, said.
The company's sponsored banks have been fined by both Visa and MasterCard as a result of the intrusion, but while the Visa fines amount to under $1 million, the ones assessed by MasterCard represent over 50% of the $12.6 million. The latter claims that Heartland failed to act appropriately after learning of the breach, a claim that the company is determined to challenge in court.
"Heartland believes that it responded appropriately to all information that it learned regarding the possibility of the system breach and that, upon discovering the intrusion, it took immediate and extraordinary action to address the intrusion," Mr. Carr stressed.
The novel, end-to-end encryption announced by Heartland is said to have been received well by the card bards. "There’s five steps to a true end-to-end encryption and we have, we believe that with our merchants’ cooperation we have control of four of those five steps as a full service merchant processor," Carr, who also felt that the new technology would give them a competitive advantage, explained.
Test-runs of the system will begin during the summer and the costs of the technology will eventually have to be supported by the merchants, because it requires hardware upgrades. The company feels that these won't turn out to be so high, because they will eventually balance with the reduction in current costs concerning compliance.