Fallout from the data breach it announced last month will probably pose the biggest challenge of the year for Heartland Payment Systems Inc.
The Princeton, N.J., processor said Tuesday that its costs related to the incident will be significant, though it still cannot estimate how many consumer accounts were compromised. It said that it expects to lose some customers.
Robert Carr, Heartland's chairman and chief executive, said the company has been named in numerous lawsuits and investigations by regulators.
"We are the subject of several governmental investigations and inquiries, including a new formal inquiry by the [Securities and Exchange Commission] and the related investigation by the Department of Justice, an inquiry by the [Office of the Comptroller of the Currency], and an inquiry by the" Federal Trade Commission, he said during a conference call with analysts. "We believe we have meritorious defenses to the claims asserted against us."
Heartland has said its systems were in compliance with Payment Card Industry data security standards and therefore should not be held responsible for the breach. The company said last month that it had discovered a malicious program installed in its systems.
Robert Baldwin, Heartland's president and chief financial officer, said the company still cannot estimate how long the program ran, how many card accounts may have been affected, or how much the company will have to spend handling the incident.
Though Heartland expects breach-related costs to be "material," the processor has the ability to absorb significant costs, Mr. Baldwin said.
Mr. Carr said he expects competitors to use the incident to poach his customers "and some will succeed."
Still, he said, Heartland's sales performance since the breach has been encouraging. Since disclosing the breach Jan. 20, "our merchant attrition has actually been a hair better than in the same period of 2008," he said.
Investigators have been unable to determine how long the malicious software ran on Heartland's server, though they now believe it became inactive sometime last year, Mr. Carr said.
"It seems clear that the malware was not active at all times during those periods and was probably not capturing information from 100% of transactions flowing through the system even when active — or exporting all the captured information to the criminals," Mr. Carr said.
Heartland is moving to encrypt card data throughout its network, he said, and it is pushing others in the payments industry to follow suit. "What the breach makes clear is the fact that the card brands need to move to an entirely new level of data security, one that doesn't rely on the success of protective walls to protect our data," he said. "Encryption of data in motion appears to be an important next step."
Despite the fourth-quarter economic slowdown, Heartland reported revenue of $100.1 million, up 31.3% from the year earlier. And net income grew 18%, to $8 million, or 21 cents per share.
Earnings for the full year were $1.08 per share, up 20%.
The company said it expects revenue to rise this year by 12% to 16%, to $430 million to $445 million, and earnings of $1.14 to $1.22 per share, excluding any losses or expenses from the breach.
Jacob Jegher, a senior analyst at Celent, the financial research arm of Marsh & McLennan Cos., said that Heartland's efforts to promote wider use of encryption could lead to PCI rules requiring end-to-end encryption of card data on all networks.
"From now on, everyone has to be encrypted from point to point," he said. "If you can't do that, you shouldn't be in business today."
