Heartland Payment Systems Loses Credit Card Data to Malware
Heartland Payment Systems, the 6th largest card acquirer in the United States with a processing volume of $51.9 billion, reported that its “investigation uncovered malicious software that compromised data that crossed Heartland’s network.” This data breach is disconcerting because consumers may be unable to pin down the source of the fraudulent transactions and also because Heartland was a Payment Card Industry Data Security Standard compliant acquirer. Heartland will likely be subject to liability from consumers, investors, and the FTC.
Heartland’s data breach may have revealed close to 100 million card numbers. It appears that a malicious software within Heartland’s network collected the data on the magnetic stripes of credit and debit cards. Heartland believes that the security codes or sensitive data, such as driver license numbers or social security numbers, are not a part of the data breach; therefore, the risk of identity theft is minimal. However, the risk of financial loss still exists due to the possibility of placing the magnetic information involved in the data breach on another card and using that card fraudulently. Considering that Heartland services all types of merchants, the largest risk to consumers is that such fraudulent transactions could come from any source and consumers do not have a way of identifying whether any of their cards was involved in the breach.
Another disturbing point for both consumers and corporations is that Heartland was a PCI DSS compliant acquirer. According to its 2008 10-K, Heartland “maintain[ed] current updates of network and operating system security releases and virus definitions, and have engaged a third party to regularly test [its] systems for vulnerability to unauthorized access.” Furthermore, Heartland encrypted the data stored in its databases but not when the data was in transit across its network. Heartland’s assumption was that its network was secure. As a result of the breach, Heartland’s listing in Visa’s Cardholder Information Security Program is now under review. To remedy the situation, Heartland announced that it would begin encrypting cardholder data throughout its network.
However, encryption is not the silver bullet that will save Heartland—or another acquirer—in the future. While PCI-DSS only requires that cardholder data be encrypted while crossing public networks and when it is stored, it does not require that data be encrypted while crossing an acquirer’s internal network. However, this data must be decrypted at some point in order for it to be processed. Furthermore, due to the fast evolution of malware, a vulnerability is likely to develop within any system at some point. Instead, companies that thrive on data processing must approach data security with comprehensive processes—such as ISO 270002. This is not to say that PCI-DSS is inadequate. Considering that the 6th requirement of PCI-DSS is the development and maintenance of secure systems and applications, it appears that it was Heartland’s implementation of PCI-DSS that failed—not PCI-DSS itself.
Heartland may be subject to legal liability from consumers, the Federal Trade Commission, and investors. A week after the breach, Heartland is already facing a class action lawsuit. TJ Maxx recently settled a similar class action lawsuit arising out of its data breach using its reserve of $178 million. Such a class action lawsuit may prove costly for Heartland as well.
TJ Maxx did not have to pay a fine to the Federal Trade Commission. Heartland may be lucky enough to avoid fines from the FTC, as well. Yet, similar to the TJ Maxx’s FTC settlement, Heartland may be subject to third-party audits as a part of a compliance program for the next 20 years. Heartland may also be able to avoid a lawsuit from its investors. While Heartland’s stock prices have declined from about $18 to $8 since the breach became public, it appears to have made the appropriate disclosures as a part of its risk factors in its 10-K:
Unauthorized disclosure of merchant and cardholder data, whether through breach of our computer systems or otherwise, could expose us to liability and protracted and costly litigation.
Our computer systems could be penetrated by hackers and our encryption of data may not prevent unauthorized use. In this event, we may be subject to liability, including claims for unauthorized purchases with misappropriated bank card information, impersonation or other similar fraud claims. We could also be subject to liability for claims relating to misuse of personal information, such as unauthorized marketing purposes. These claims also could result in protracted and costly litigation. In addition, we could be subject to penalties or sanctions from the Visa and MasterCard networks.
In sum, corporations like Heartland that make their money through processing personal data should invest in data protection using comprehensive processes, especially if the loss of that data may result in financial liability. Such comprehensive processes are likely to better protect corporations and their customers against data breaches.
 The connection between data breaches and stock prices declines have been subject to several studies since the ChoicePoint data breach.