Heartland Payment Systems has agreed to pay up to $60 million to Visa and Visa Issuing banks for its 2008 breach of over 130 million credit card data. The press release offers very little in the way of details and simply says, "Visa will present the details of the settlement in coming days."
A key question is whether this settlement includes the issuing banks' costs for reissuing cards or just losses due to actual card fraud directly related to the illegal use of the stolen card data.
Recently, issuing credit card unions and their insurance company lost a lawsuit they filed against BJ's and its acquiring bank, Fifth Third, for losses they incurred which resulted from BJ's 2004 breach. The key difference with this settlement is that Visa was directly involved in the negotiations. If Visa were to terminate Heartland's Visa card processing contract, it could be an existential blow to Heartland.
The amount of this settlement blows well past the $12 million CEO Bob Carr said Heartland set aside when he announced the $3.6 million settlement with American Express. Of course, it may be years before we know (if we ever find out) exactly how much Heartland actually has to pay.