Heartland Agrees to $60M Settlement with Visa over Breach

Heartland Payment Systems on Jan. 8 announced that it has agreed to pay up to $60 million to Visa to cover losses to credit and debit cardholders affected by the massive data breach Heartland suffered in 2008.

According to Heartland's news release, the settlement agreement is "contingent upon acceptance by financial institutions representing 80 percent of the eligible issuers' U.S. accounts that Visa considered to have been placed at risk" when convicted hacker Albert Gonzalez and his crew broke into Heartland's network. The breach was disclosed by Heartland in January of 2009 and is believed to have exposed more than 100 million credit and debit card numbers.

"We believe issuers will benefit by participating in this settlement program because it offers an immediate recovery with respect to losses they may have incurred from the Heartland intrusion," Ellen Richey, chief enterprise risk officer for Visa, said in a statement. "Helping financial institutions mitigate costs after a data security breach has been a long-standing component of Visa's security strategy, along with promoting new security technologies, preventing fraud and leading efforts to secure sensitive data across the entire payment system."

The Heartland release continued:

"Heartland will fund up to $59.22 million of the amounts to be made available to Visa and its issuers under the settlement program. Additionally, Visa will credit the full amount of intrusion-related fines it previously imposed and collected from Heartland's sponsoring bank acquirers towards the $60 million maximum funding of the program. The settlement amount represents a significant recovery to Visa issuers for losses they may have suffered due to the data breach."

"We are pleased to have reached a fair settlement agreement that helps issuers obtain a recovery with respect to losses they may have incurred from the intrusion," Bob Carr, Heartland's chairman and CEO, said in a statement. "At Heartland, we are also committed to helping issuers—as well as all stakeholders in the payment ecosystem—mitigate future risk."

After the breach, Heartland began pushing for industrywide adoption of end-to-end encryption. For many however, the breach underscored the fact that compliance with the PCI DSS (Payment Card Industry Data Security Standard) is not the be-all and end-all of security.

"Not all attacks will be prevented, but the size of the fine serves as a prime example of the importance of quickly identifying breaches when they occur," said Don Gray, chief security strategist for Solutionary. "Had the breach been quickly identified, the number of payment cards affected [might] have been drastically reduced, leading to a much smaller fine."

The settlement with Visa follows the company's decision to settle with American Express for $3.6 million in December.