Ending three months in the wilderness, Heartland Payments Systems has returned to MasterCard’s and Visa’s validated service provider lists following successful completion of its annual Payment Card Industry Data Security Standard (PCI DSS) assessment on 30 April.
Reinstatement ended a period during which the sixth-largest payments processor in the US had been operating in a probationary status following its announcement on 20 January that it had fallen victim to a potentially massive data breach.
Perhaps surprisingly, Heartland came through its ordeal with less damage than might have been expected.
In the first quarter of 2009, Heartland, which provides processing services to some 250,000 merchants country-wide, reported a transaction volume of $15.5 billion, up 17.4 percent compared with the first quarter of 2008.
Growth was achieved despite attempts by certain unnamed rival processors to gain advantage from the situation.
Heartland CEO Robert Carr told delegates to an investors’ conference earlier this month: “We have had some competitors telling merchants they will be fined $10,000 a day if they stayed with Heartland.”
However, Heartland did not escape unscathed financially in the first quarter, reporting a net loss of $2.7 million compared with an $8.7 million profit in the first quarter of 2008. Had it not been for expenses directly attributable to the processing system intrusion net income would have been $5.4 million.
Despite its validation as being PCI DSS complaint, Heartland is pressing on with its strategy of taking security beyond the laid down requirements.
“While they continue to support the PCI standard as necessary improvements in the security of cardholder data, Heartland is committed to going beyond this standard in order that both merchants and cardholders can have the highest possible confidence in the security of their payment card data,” Carr stressed at the conference.
He continued that Heartland will introduce its fully encrypted end-to-end terminal solution in the third quarter of 2009.
“We believe [this] will offer merchants the highest level of data security in the marketplace,” said Carr.
Heartland is also in the forefront of a drive to develop a new standard to protect cardholder data in the electronic payments industry being spearheaded by the Accredited Standards Committee X9 (ASC X9), of which it is a member.
Accredited by the American National Standards Institute, the ASC X9 develops, maintains and promotes standards for all financial services in the US and has pioneered standards for items including the credit card magnetic stripe and ATM systems.
Though the ASC X9’s ‘Sensitive Card Data Protection Between Device and Acquiring System’ initiative has yet to be formally launched, the first preliminary planning meeting to discuss technical approaches to improving data protection was hosted by Heartland on 7 May.