IMGCAP(1)]
This article appears in the May 14, 2009, edition of ISO&Agent Weekly.
The turbulent economy and the fallout from a data breach pushed Heartland Payment Systems Inc. into the red in the first quarter.
The Princeton, N.J.-based processor reported a net loss of $2.5 million last week, compared with net income of $8.9 million for the same quarter last year.
Heartland announced in January that hackers breached its network last year and captured the credit and debit card numbers and expiration dates of an undisclosed number of cards.
"The economy in the first quarter was worse than expected, and revenue suffered from the combined impact on attrition and [new merchant clients] from economic weakness and the processing-system intrusion," the processor said in a statement.
Multiple factors created a difficult first quarter for the transaction processor.
"We seem to be at the vortex of an economy that has been derailed, the dawning of an age of escalating cybercrime and possibly some fundamental changes in consumer behavior that could be changing the nature of personal consumption," noted Robert Carr, Heartland's chairman and CEO, during a conference call with analysts last week.
The processor identified the source of the breach as a "sniffer" program that made it past the company's antivirus software. Crooks use sniffer programs to analyze network data and deliver it to fraudsters.
"It is not unexpected" that the breach "would have an effect on everything from sales, attrition, expenses and legal," Robert Dodd, an analyst with Morgan Keegan & Co., a Memphis, Tenn.-based regional investment firm, tells ISO&Agent Weekly. "Across the board, it affects things."
Breach Costs
Heartland reported $12.6 million of first-quarter expenses and accruals attributable to the processing-system intrusion.
A fine imposed by MasterCard Worldwide., which said the processor had not taken appropriate action after learning its systems may have been breached, accounted for about half of those expenses, Carr said. Less than $1 million was related to fines assessed by Visa against Heartland's sponsor banks.
Heartland did not respond to a request for additional information and clarification about the breach-related fines.
Heartland considers MasterCard's fine to be in "direct violation" of MasterCard rules and applicable laws, said Carr. The processor "is prepared to vigorously contest" any liability that may be imposed on Heartland or its sponsor banks because of the fine, he said.
A MasterCard representative did not respond to a request for comment.
Since disclosing the breach, Heartland has been the subject of at least four class-action lawsuits. Two lawsuits in New Jersey and one in Florida, all filed in January, allege that the processor failed to protect consumer card data and to notify affected cardholders of the breach in a timely manner.
The fourth suit, filed by the Bala Cynwyd, Pa., law firm Brodsky & Smith LLC, alleges that the processor violated federal securities laws by issuing a series of statements that "artificially" inflated the price of Heartland's shares.
"Our defense of the claims regarding the processing-system intrusion remains ongoing," said Carr. "Much of the legal work remains to be done, and it is difficult to anticipate when these matters will come to a conclusion," he said.
PCI-Compliant Once Again
In March, Visa Inc. removed Heartland from its list of service providers compliant with the Payment Card Industry Data Security Standard. Visa reinstated the company this month. MasterCard Worldwide also removed Heartland from its PCI-compliant provider list and has since reinstated the company, said Carr.
However, being dropped from the roster of PCI-compliant companies likely prompted some concern from clients about the safety of continuing to do business with the firm.
Heartland said the number of new merchant clients during the quarter fell 9.7% from a year earlier. Dodd says the drop was "surprising" and likely a result of both the poor economy and the breach. This was the first time Heartland's new contracts have declined, he says.
Now that Visa and MasterCard have reinstated Heartland to their lists of compliant service providers, "we hope that this will end once and for all the host of falsehoods and misleading statements that a few competitors have been using, admittedly with some success, to scare merchants into leaving Heartland since we were removed in mid-March," said Carr.
Because Heartland was not on Visa's compliant-vendor list through April, the processor's second-quarter results likely will continue to show adverse effects from the breach. "The impact will moderate in the second quarter, but it will not go away," Dodd says.
Adil Moussa, an analyst at Boston-based Aite Group LLC, predicts Heartland will rebound "a little" in future quarters. However, "there may still be more hard times to come for Heartland, depending on how much they have to settle with different issuers and the different lawsuits brought against them," Moussa tells ISO&Agent Weekly.
Heartland posted revenue of $98.5 million for the quarter ended March 31, up 23.4% from $79.8 million during the same period last year. Card-processing volume grew 17.4%, to $15.5 billion from $13.2 billion. Heartland attributes that growth
primarily to the addition of petroleum clients and modest increases in activity among small and midsize merchants.
Heartland anticipates introducing a complete-encryption service in the third quarter of 2009, said Carr. "We are in a cyber-crime arms race, and we need to stay ahead of the bad guys who never rest," Carr said.
