Heartland pays another $5.4m for malware infection

Attacks on payments hub.

The United States' fourth largest credit card payments processing company Heartland Payment Systems has agreed to pay a US$5 million ($5.4 million) settlement to its financial services customer Discover over a data breach caused by a malware infection.

Heartland processed card payments for Visa, Mastercard and other financial service providers to the tune of US$70 billion in 2009.

The payments processor had already paid American Express US$3.6 million over the same breach, while Visa agreed to cap its compensation demands to US$59.2 million.

In early 2008 malicious software infiltrated Heartland's payments system, which allowed attackers for several months to collect in-transit, unencrypted payment card data, according to Heartland's 2009 Securities and Exchange Securities filings.

"This settlement marks our final agreement with a card brand related to the intrusion," Bob Carr, Heartland's chairman and chief executive officer said Wednesday in a brief statement.

Heartland held a US$100 million reserve fund to compensate companies affected by the breach.

Despite in-transit data not being required to be encrypted in 2008 under the Payment Card Industry's Data Security Standard (PCI-DSS), both Mastercard and Visa briefly removed the company from their list of compliant providers as a result of its system's compromise.

Heartland was not the only major payments processor to suffer an attack in 2008. A Russian hacker is facing charges in the US for allegedly breaking the Royal Bank of Scotland's encryption for its US payroll processing network, RBS WorldPay.

The hacker was alleged to have stolen US$9.4 million in the 2008 attack.