The breakdown of associated costs disclosed in Global Payments’ latest quarterly report describes a total of $60 million “for professional fees and other costs associated with the investigation and remediation,” while an “additional $35.9 million represents our estimate of total fraud losses, fines and other charges that will be imposed upon us by the card networks.” $2 million has been received from insurance companies.
The total is less (so far) than initially projected because of “lower fraud related costs attributed to this event than previously expected.” However, the company warns that there will be more costs to come from both further fines and the current and possible future litigation. “We have not reached final resolution with certain other networks. As such, the amount of fraud losses, fines and other charges that will be imposed by those networks could differ from the amount we have accrued as of November 30, 2012.”
On the legal side it faces a class action started by Natalie Willingham in April 2012, alleging “negligence, violation of the Federal Stored Communications Act, willful violation of the Fair Credit Reporting Act, negligent violation of the Fair Credit Reporting Act, violation of Georgia's Unfair and Deceptive Trade Practices Act, negligence per se, breach of third-party beneficiary contract, and breach of implied contract.” Global filed a motion to dismiss, but the courts are yet to rule. “Currently,” says the report, “we do not have sufficient information to estimate the amount or range of possible loss associated with this matter.”
As a result of the breach, “certain card networks removed us from their list of PCI DSS compliant service providers.” That much is not surprising, and the quoted $60 million includes the cost of regaining compliance. “Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows.” But this seems to contradict another, and more surprising, statement: “To date, the impact on revenue that we can confirm related to our removal from the lists has been immaterial.”
Databreaches.net is perplexed by this statement. “So what are we to make of their report about the impact – or lack thereof – of losing PCI-DSS compliant status? Does losing compliant status really not significantly impact a payment processor? If so, then where’s the motivation to comply? Does their insurance depend on PCI DSS compliance? If not, why should they care about compliance if there’s been no material losses due to non-compliance?”