Given the near certainty that it would save them having to answer all the same questions twice, it made sense for Global Payments Inc. to roll a third-quarter earnings call originally set for Wednesday, April 4 into a press conference on Monday, April 2 to address a data breach and subsequent PCI delisting by Visa.
This was the efficiency part. Then there was the therapeutic part: There's little use applying salve to a wound on Monday morning only to pick off the scab on Wednesday afternoon.
And so it was that GPN chairman and CEO Paul Garcia, president Jeff Sloan, and senior executive vice president and CFO David Mangum pulled double-duty on Monday morning, discussing Q3 revenues and possible Q4 losses.
During the press conference/conference call, questions revolved around a pair of concerns: How much will the breach cost GPN and how long will it take the company to get back its all-important record of compliance from Visa? The answers respectively (and repeatedly) throughout the one-hour call were, predicatably, "We don't know" and "We don't know."
What Global Payments did know with some assurance was the number of records involved in the breach, a much smaller total than the guesstimate currently floating around the Web — 1.5 million vs. "as many as 10 million." Also surprising (but then again, not) was GPN's acknowledgement that it might also be delisted by MasterCard.
In a prepared opening statement, Garcia also said the theft appeared to involve Track 2 data — card numbers, CCVs and expiration dates — leaving sensitive Track 1 information — customer names, birthdates, social security numbers and addresses — untapped.
Garcia's statement said that "upon reflection" Global Payments' removal from the VISA PCI compliance list was not unexpected, indicating that the company's delisting initially came as a complete surprise. Later in the conference, Garcia said "it wouldn't be unexpected" if MasterCard were to take similar action.
Garcia took pains to confirm that no systems outside GPN were involved in the breach. "I cannot stress more vehemently that this does not involve our merchants, our sales partners, or their relationships with their customers," he said. "It is also important to emphasize that consumers are completely protected if any exposure were to arise."
Breaking down the press conference Q&A and boiling down the FAQs, a summary of the presentation in Garcia's words unfolds as follows:
The 1.5 million number —
You can be sure that we worked very hard on that; we looked at every piece of data we could possibly look at and then allowed ourselves some expansion … We all believe this number to be a reasonable limit.
The source of the breach —
We're not going to share any specific details other than it's confined to North America, it's a number of servers, and there's a massive number of servers that were not implicated. And that's all we can say on that; this is an ongoing federal investigation and we've got to let them do their work.
The timeline for a fix —
You can be assured that we are working very collaboratively with the (credit card) associations. And quite frankly, they have every desire to have us button this up as quickly as possible, too, so they're pulling on the same end of the rope as we are … We don't think it's months, but we have work to do here.
The situation with Visa —
We have millions of merchants around the world who are processing Visa transactions as we speak and who will continue to process Visa transactions … we're not precluded from signing up new merchants. We're literally signing them right now. We already had our day in Asia and I can promise you they signed a lot of merchants.
… I wouldn't want to imply that this is without teeth. This is not a good thing not to have your ROC and we're very focused on getting that reinstated. We take that very seriously. But it doesn't mean we can't process, it doesn't mean we can't sign merchants — be very, very, very clear.
The timeline for ROC relisting —
In terms of getting the ROC back, we are going to do that as expeditiously as humanly possible.
The effect on customer accounts —
I can't guarantee there will be no fallout here because this is a significant thing we're working through. But so far, I would say we're very, very encouraged by the response.
The financial liability —
We understand there are two things hanging over us: getting the ROC back and identifying the exact one-time charge associated with this … [I]t's still developing, still going on, there are still costs. David needs time to get his hands around all of that.
The Internet buzz about timing —
[T]here's a lot of rumor and innuendo out there, which is not helpful to anyone, and most of it incredibly inaccurate … Approximately three weeks ago we identified that cardholder data may have been taken. Literally within hours of that discovery, we contacted federal law enforcement and the card associations.
... There was a rumor out there that we were aware of a data intrusion out there a year ago. You know, the answer is no. This is the first incident. We hope this is the last.
Also of some interest were the company's Q3 earnings numbers:
- For the third quarter, revenues grew 17 percent to $533.5 million compared to $456.4 million in the prior fiscal year.
- Cash earnings per share grew 17 percent to $0.83 compared to $0.71 in the prior year.
- On a GAAP basis, the company reported fiscal 2012 third quarter diluted earnings per share growth of 24 percent to 73 cents compared to 59 cents in the prior year.
- Expected annual revenue for fiscal 2012: $2,150 million to $2,200 million, or 16 percent to 18 percent growth over fiscal 2011.
- Expected fiscal 2012 diluted earnings per share on a cash basis: $3.50 to $3.58, reflecting 14 percent to 16 percent growth over fiscal 2011.
- Expected GAAP diluted earnings per share: $3.10 to $3.18 representing 19 percent to 22 percent growth over the prior year and reflecting some planned cost saving initiatives for Q4.
Source: Global Payments Inc.
For more on this topic, visit our security research center.