Prior to the Heartland Payment Systems (HPY) data breach, company executives misrepresented their "state of the art" security measures, says a new document filed in the class action suit against the payments processor.

Heartland publicly touted its "multiple layers of security," and said it placed "significant emphasis on maintaining a high level of security in order to protect the information of our merchants and their customers," according to the master complaint filed last month in U.S. Southern District Court in Houston. In January, Heartland announced it had been the victim of a data breach that is now recognized as the largest ever reported, impacting more than 130 million consumer credit/debit card accounts.

The complaint represents "everything we know about the Heartland data breach so far," says attorney Richard Coffman, representing the financial institutions suing Heartland for damages. This document lays out for the first time a sequence of events and statements made by Heartland executives about security measures and actions before, during and after the breach.

Heartland representatives did not respond to a request for comment on the contents of the complaint. The processor is expected to file for dismissal of the class action suit by Oct. 23.

Following is a timeline of events highlighted in the master complaint against Heartland.

2006: Merchant Bill of Rights

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

In 2006, the complaint says, Heartland created the "Merchant Bill of Rights," which the company describes as "an industry standard for fairness, honesty and transparency in credit and debit card processing." According to its website, "[a]t Heartland, we believe you have the right to ... encrypted card numbers and secure transactions ... [and] ... real-time fraud and transaction monitoring."

Heartland stressed the importance of retaining a payment processor that has adequate security measures in place: "No merchant ever wants to have the credit, debit and PIN numbers of its customers stolen by hackers. Hundreds of thousands of attempted hacks are foiled every day by large card transaction processors. It takes layers of state-of-the-art security, technology and techniques to safeguard sensitive credit and debit card account information," states the Merchant Bill of Rights webpage. "Robust security is a must - not an option. Small and mid-sized merchants have the right to encrypted card numbers and secure transactions."

The complaint says Heartland's Bill of Rights was not limited to soliciting business from merchants. Rather, it expressly was designed to assure the public at large that Heartland had adequate security measures in place to protect sensitive financial data.

2007 Pre-Breach: Security Assurances

Both before and after the Data Breach, the complaint says, Heartland assured financial institutions that the sensitive financial information entrusted to the processor was secure. One example given: the last Form 10-K filed with the SEC before the data breach occurred. Heartland made the following affirmative representations concerning its security measures: "Our internal network configuration provides multiple layers of security to isolate our databases from unauthorized access and implements detailed security rules to limit access to all critical systems."

The complaint also says that, pre-breach, Heartland's website touted the company's security measures. For example, in describing an "internally developed, client-server based transaction processing platform" called HPS Exchange, Heartland said: "Cost, security, and reliability - By operating our own data center, Heartland is able to offer benefits that include: Security - Exchange has passed an independent verification process validating compliance with VISA requirements for data security."

Dec. 2007: Breach Began

Beginning at least as early as December 26, 2007, unauthorized persons hacked into Heartland's computer network and gained access to confidential financial data associated with approximately 130 million credit cards and debit cards, according to the complaint.

Visa first alerted Heartland about "suspicious activity surrounding certain cardholder accounts" in late October 2008 - nearly one year later. Heartland's IT team subsequently worked with forensic auditors from the major card brands (Visa, MasterCard, American Express and Discover) to try to match the suspicious transactions to Heartland's processing activities.

Nov. 2008: PCI 'Insufficient'