Breach, Compliance Management, Data Security, Security Strategy, Plan, Budget

Heartland: Visa won’t fine you for doing business with us

Updated on Tuesday, March 24 at 3:36 p.m. EST

Heartland Payment Systems is fighting back against competitors it says are falsely informing customers that they face fines if they continue doing business with the breached payment processor.

Robert Carr, the Princeton, N.J.-based company's chairman and CEO, said in a letter posted on the firm's breach information website that Heartland has sent cease-and-desist letters to some competitors -- which he did not name -- telling them "that their untrue and misleading claims are baseless and unlawful."

"Heartland intends to initiate legal action against them if they do not immediately stop making these claims," Carr said.

It appears Heartland's competitors began trying to pluck customers away from the company after Visa announced earlier this month that it had removed Heartland from its list of Payment Card Industry Data Security Standard (PCI DSS)-compliant service providers.

The removal prompted some experts to suggest that merchants using Heartland to process their credit card transactions could themselves face fines because Heartland was deemed out of compliance.

But Avivah Litan, vice president and distinguished analyst with Gartner, questioned Visa about this possibility and was told that the payment brand had no interest in fining Heartland as it works toward recertification with the PCI standards. (Heartland has said it expects to be back in compliance by May.)

"Visa issued a statement to Gartner indicating that merchants and other card payment-accepting enterprises can continue to do business with the U.S. payment processors Heartland Payment Systems and RBS WorldPay (another breached processor) without threat of fines from Visa," Litan wrote in a Monday research note.

Visa on Tuesday confirmed this stance to SCMagazineUS.com.

"The PCI DSS compliance status of Heartland and RBS WorldPay will not cause otherwise compliant merchants to be subject to non-compliance fine assessment if all other standing PCI DSS validation requirements have been satisfied," Visa said in a statement.

Carr said that should a card brand attempt to fine a merchant for using Heartland as its processor, the company will reimburse the retailer "in the event the fine is found to be legally enforceable."

The Heartland letter comes on the same day as New York law firm Kirby McInerney announced it filed a lawsuit against the payment processor, charging it with violating federal securities laws. The suit contends that between Aug. 5, 2008 and Feb. 23 -- when the shares of Heartland fell $21.84, or about 80 percent -- Heartland made false or misleading statements and failed to disclose "material adverse facts" about the company's business operations.

Feb. 24 was the date Heartland delivered its fourth-quarter earnings call, on which it discussed the breach, indicating that potentially tens of millions of credit card records were exposed.

"We clearly face some added hurdles in our business as a result of the breach," Carr said on the call.

A number of other lawsuits also have been filed against Heartland.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds