Visa Deal Pushes Heartland Breach Settlement Costs (So Far) To $65 Million

Written by Fred J. Aun
January 14th, 2010

A settlement with Visa announced Friday (Jan. 8) will require Heartland Payment Systems (HPS) to pay $59.22 million to compensate Visa card issuers for costs they incurred as a result of Heartland’s massive 2007 data breach. The Visa settlement follows two other recent agreements, one with American Express and another with a group of breach-affected cardholders, and it will bring Heartland’s breach-related settlement compensation tab to about $65 million.

But the bleeding won’t stop there. HPS has yet to reach agreements with Discover, MasterCard or others.

The Visa agreement, described in a filing with the Federal Securities Exchange Commission (SEC), calls for HPS to take out a $53 million loan to help it pay $59.22 million to Heartland Bank and KeyBank National Association, two of its sponsor banks. Visa will pay back to the banks $780,000 in fines it collected from them after the breach.

The massive intrusion, which touched 130 million cards, began in December 2007 and wasn’t discovered until January 2009. It was supposedly masterminded by Albert Gonzalez of Miami.

“The settlement amount represents a significant recovery to Visa issuers for losses they may have suffered from the Heartland data security breach,” said Visa and Heartland in a statement, stressing that not only will all U.S. card issuers be eligible to receive a portion of the recovery but international issuers of accounts that Visa “considered to have been placed at risk of compromise” will also be included.

Visa and Heartland pointed out the settlement agreement must be approved by at least 80 percent of the affected card issuers. In the statement, Visa’s chief enterprise risk officer, Ellen Richey, said Visa believes the issuers “will benefit by participating in this settlement program because it offers an immediate recovery with respect to losses they may have incurred.” Heartland CEO Bob Carr, in the same statement, said he believes the settlement with Visa is a fair one that “helps issuers obtain a recovery.”

The settlement between Heartland and American Express, announced in mid-December, calls for Heartland to pay Amex $3.6 million. It was described by Heartland as being “the first agreement with a card brand” relating to the data breach. Additionally, Heartland agreed to settle consumer cardholder class action lawsuits that were consolidated in U.S. District Court for the Southern District of Texas. Under the terms of the settlement, Heartland will pay $1 million to $2.4 million “to class members who submit valid claims for losses as a result of the intrusion.”

The settlement is limited to people who had payment cards used in the U.S. between Dec. 6, 2007 and Dec. 31, 2008 “and who allege or may allege they suffered losses” due to the breach at Heartland. Heartland also agreed to pay all costs associated with the administration of the settlement, including up to $1.5 million for sending notices to class members and up to $760,000 of the attorneys’ fees and costs.

One tidbit, buried in a statement about the settlement, notes that Heartland will “submit the report of an independent expert” regarding its actions and plans “to enhance the security of its computer system” since the breach was disclosed. Heartland reserved the right to cancel the agreement if more than 2,500 people submit bona-fide requests to be excluded from the class members or if it will cost more than $1.5 million to send notices about the settlement.


One Comment | Read Visa Deal Pushes Heartland Breach Settlement Costs (So Far) To $65 Million

  1. Janice Gaines Says:

    Anyone else here reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, policies, and so on. Just Google “IT WARS” – check out a couple links down and read the interview with the author David Scott. (Full title is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium”).


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.