Digital Transactions Authoritative, insightful and timely information for payments professionals
The breach-related troubles just keep piling on for merchant acquirer Heartland Payment Systems Inc., according to the acquirer's annual report filed on Monday with the U.S. Securities and Exchange Commission. In the filing, Heartland revealed the data breach it sustained last year is under investigation not only by the U.S. Department of Justice, the SEC, the Federal Trade Commission, and the Office of the Comptroller of the Currency, but also by the Federal Financial Institutions Examination Council, attorneys general of several states, including Louisiana, the Canadian Privacy Commission, and other government officials. Negative publicity from the breach, which Heartland disclosed Jan. 20, also could cause an increase in merchant attrition, according to Heartland's filing. During 2008, 2007, and 2006, Heartland experienced average annual attrition of 17.3%, 12.6% and 11.1%, respectively. Major causes of attrition included business closures, transfers of merchants' accounts to competitors, account closures initiated by Heartland due to heightened credit risks, or contract breaches by merchants. Heartland also could lose the sponsorship of its primary sponsor bank, KeyBank N.A., if MasterCard Inc. and Visa Inc. determine the acquirer is in violation of operating regulations. Visa last week announced it has kicked Heartland off of its list of processors compliant with the Payment Card Industry data-security standards, or PCI (Digital Transactions News, March 14). Heartland had passed its most recent PCI DSS inspection shortly before hackers apparently gained access to its systems last year. In addition, Heartland had been named in 16 class-action suits filed by consumers in nine states and four class-actions suits filed by card-issuing financial institutions in two states as of March 13. The consumer suits seek damages for such claims as negligence, breach of contract, violation of the Fair Credit Reporting Act, state data-breach notification statutes, and state unfair and deceptive practices statutes. The financial institutions are seeking compensatory damages for the costs of issuing replacement cards and losses stemming from unauthorized transactions. No dollar amounts were listed. Heartland and its executives also are the targets of a class-action suit alleging violations of federal securities laws in connection with company disclosures about the breach and the alleged trading in Heartland securities by four Heartland executives. The SEC and the U.S. Attorney for the District of New Jersey are investigating whether there were any violations of federal securities laws, according to Heartland's filing. Heartland last week announced that Robert Carr, Heartland's chief executive, and his wife, Jill, were forced to sell 692,412 shares of the company's common stock to meet obligations under a loan for which the shares were pledged as security. The stock sales occurred around the time the breach was originally discovered but before it was publicly announced, raising speculation that Carr was attempting to cash out his shares before prices fell. Fueling that speculation was Heartland's announcement that the SEC also was investigating circumstances surrounding the breach. Carr declines to discuss the SEC investigation but in a March 2 release said the stock sale was involuntary.
