The Agency Insider with Linda McGlasson

Heartland/Visa Settlement Raises Questions

Heartland/Visa Settlement Raises Questions

The $60 million settlement announced by Heartland Payment Systems and Visa on Friday didn't come without some provisions (translated: strings attached) for those institutions thinking about taking the settlement offer.

The announcement on face looks to be a good one for the institutions that were hit by the breach, the largest to date of credit card data. By most measures, it is a bargain for Heartland, even with the $60 million price tag. But questions are raised on the timing of the settlement, its requirements and the short window to participate.

Looking at the calendar, the announcement came in on a Friday morning, Jan. 8. The deadline for institutions to have their paperwork in as proof they will participate is Jan. 29. No real details were given in the announcement, other than to make one thing really clear: If an institution takes this settlement, it will then have no recourse against Heartland in collecting any other money due because of fraud from the breach. Visa says it will be sending out by email information to the affected institutions on the "Alternative Recovery Offer" on Jan. 14. That leaves 12 business days before a decision has to be made, forms completed and sent back to participate.

The requirement that 80 percent of Visa issuing banks that were affected by the breach must participate in the settlement also raises a question. Why the large percentage? Could Heartland be worried that some banks won't take the settlement offered, which after $1,000 is only an equal match to the losses? Institutions that make the decision to go with the settlement will be reimbursed only the amount to date. The settlement doesn't include any future fraud that may happen because of the breach.

It's also interesting to see the speed at which Visa and Heartland expect institutions to make this decision. A three-week window to get more information, digest it and present it to senior management, and possibly the board of an institution, is cutting it close. Real close.

Finally, the last question I have to ask is the most obvious: Why now? It can't be that the upcoming one-year anniversary of the Heartland announcement has any bearing. My thought is that Heartland is pushing this settlement out in front of issuing institutions, hoping they'll take it and then forgo any participation in the class action suit being brought against it.

The judge has not ruled on the class action suit yet, which may be why Heartland has pushed this offer out to institutions, with Visa's blessings and participation, in order to enlist as many institutions as possible before a ruling comes down on whether the case will move forward, or if Heartland's motion for dismissal is upheld.

Should Heartland fail to secure the 80 percent participation rate, it can go back and say it tried with good faith to make amends to issuing institutions, but not enough institutions wanted the settlement offer. There are institutions out there (that will remain unnamed) that have replaced their entire card base at a substantial cost to their bottom line. One institution I know of spent $1 million to replace its cards because of the Heartland breach.

The deadline clock is ticking. Let's see which affected institutions take the settlement - and which ones don't.



About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.