Heartland Payment Systems will pay up to US$60 million to issuers of Visa credit and debit cards for losses they incurred from a 2008 data breach at the large payment processor.
The settlement between Heartland and Visa, announced Friday, will offer card issuers “an immediate recovery with respect to losses they may have incurred from the Heartland intrusion,” Ellen Richey, Visa’s chief enterprise risk officer, said in a statement.
Heartland disclosed the breach a year ago. The U.S. Department of Justice has charged Albert Gonzalez and several other accomplices with the data breach, and Heartland was one of several companies they broke into using SQL injection attacks. Gonzalez and his associates stole more than 130 million credit card numbers from Heartland, prosecutors alleged.
Gonzalez has pleaded guilty in the Heartland case and in two other data breach cases. In the Heartland case, he pleaded guilty in December to two counts of conspiracy and will receive a prison term of at least 17 years.
Heartland’s settlement with Visa is the second the company has announced in the past month. Heartland agreed to pay American Express $3.6 million in a settlement announced in December.
Bob Carr, Heartland’s chairman and CEO, called the deal with Visa a “fair settlement.” The company is committed to helping card issuers reduce data breach risks, he said in a statement.
The Visa/Heartland settlement agreement will go into effect after 80 percent of the eligible card issuers accept the deal, the two companies said in a press release. U.S. and international card issuers are eligible for the settlement money. By participating in the program, card issuers release Heartland and Visa from any additional liability.