Heartland warns rivals about 'baseless' claims on postbreach Visa action

Computerworld - Heartland Payment Systems Inc. is warning rivals of possible legal action if they don't stop trying to lure away its customers by hinting that continuing to do business with the breached payment processor could expose companies to fines by Visa Inc. for noncompliance with the PCI data security rules.

In a message posted on Heartland's Web site on Monday, CEO Robert Carr said the company plans to sue competitors that don't "immediately" stop making what he described as "baseless and unlawful" claims related to Visa's removal of Heartland from its list of service providers that comply with the PCI rules (download PDF).

Pointing to a statement issued by Visa on March 19, Carr tried to assure Heartland customers that the delisting action doesn't put them at risk of any financial penalties. He said that Heartland would defend its clients if claims were made against them by any of the credit card companies solely because they continued to use Heartland to process transactions, and that the company would reimburse them for any assessed fines that were "found to be legally enforceable."

Visa's statement said merchants or other organizations that accept Visa-branded credit and debit cards can continue to do business with Heartland without fear of fines while the payment processor works to get recertified for compliance with the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS). In his message, Carr also cited a Gartner Inc. research bulletin that said there was no reason to switch payment processors just because of the delisting.

Visa dropped both Heartland and RBS WorldPay Inc., another payment processor that recently disclosed a data breach, from its PCI-compliant list on March 12. The credit card company said it would "consider" reinstating Heartland and RBS WorldPay after third-party assessors certify that they meet PCI requirements.

The delisting initially raised questions about whether merchants could continue to use the two payment processors without risking penalties themselves, since Visa requires businesses to work only with service providers that have been deemed to be compliant with PCI DSS.

Carr's message noted that Heartland customers may have been approached by other payment-processing companies looking to take advantage of the uncertainty. He added that Heartland has sent cease-and-desist letters to an undisclosed number of rivals over the breach-related claims they were making to its clients.

Princeton, N.J.-based Heartland reported in January that its systems had been breached last year, resulting in the theft of card account numbers and other data. The disclosure sparked widespread security concerns in the payment card industry and has prompted several banks and credit unions to file lawsuits against Heartland.

Heartland, which processes more than 100 million transactions per month, has yet to say how many card numbers were compromised in the system intrusion. The company said last week that its goal is to be recertified by "no later than May."

RBS WorldPay, an Atlanta-based division of The Royal Bank of Scotland Group PLC, disclosed in December that the personal data of about 1.5 million holders of prepaid payroll and gift cards had been compromised during an intrusion (download PDF). It hopes to be recertified for PCI compliance by the end of next month.