Heartland data breach sparks security concerns in payment industry

Visa and MasterCard also have yet to divulge any specific information about the scope or nature of the breach. For instance, MasterCard said in a statement that it would be "premature for us to speak to any numbers or metrics" at this point because an investigation into the breach is still ongoing.

If the compromise was as big as is being suggested, the sheer number of compromised cards would make it highly unlikely that banks would cancel and reissue all of them, Helgeson said. The overall cost of doing that likely would be in the range of $600 million to $1 billion, he estimated. Such an amount, he added, would be far more than any credit card fraud that is likely to result from the compromise.

A breach on the scale of the outside estimates also would likely draw attention from lawmakers, regulators and the legal community, analysts predicted.

Already, one law firm, Chimicles & Tikellis LLP in Haverford, Pa., has said that it is exploring the possibility of a class-action lawsuit against Heartland. The firm, which has an ongoing lawsuit against Bank of New York Mellon Corp. in connection with a breach disclosed last May, is looking at whether Heartland was negligent in its duty to protect data and whether there might have been a breach of implied contract as a result, said Joseph Sauder, an attorney at Chimicles & Tikellis.

In addition, if it is found that Heartland wasn't compliant with the PCI requirements, the company could face potentially steep fines from the credit card companies, said Scott Vernick, a partner at Philadelphia-based law firm Fox Rothschild LLP. Banks that are forced to reissue cards because of the breach will look to Heartland for reimbursements, Vernick added. And regulators likely are going to want to know if the company was following industry best practices for IT security when it was breached, he said.

The issue of when Heartland first learned of the breach, and when the company publicly disclosed the system intrusion, will also assume significance down the road, Vernick said.

The breach is also sure to add to the growing chorus of doubt about the efficacy of the PCI rules. At a minimum, what happened at Heartland will put pressure on the card companies to enforce the requirements more stringently — and more visibly — than they have thus far.

There is precedent for harsh action to be taken, though. When CardSystems Solutions Inc., then a major payment processor, was hit by a data breach that compromised about 40 million payment cards in 2005 — just months after the first version of the PCI standard was announced — Visa and American Express Co. eventually stopped doing business with the company.

"It will be interesting to see what the card companies do" in the case of Heartland, Helgeson said.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.