The recent Heartland Payment Systems data breach destroyed a great deal of the company's market value as skittish investors became painfully aware of the consequences of risks which have not previously been well-understood in this industry. Investors received a rude surprise when the already shaky value of HPY stock collapsed, quickly falling from about $18 per share in early January to less than $10 and then to $3.57 by early March. Since then, HPY has staged a steady recovery, but has yet to see $10 per share (as of mid May). All told, in the last year, Heartland shareholders lost over $1 billion in market capitalization. Not all of that is due to the data breach alone of course. HPY stock was settling down at the time the breach occurred, dropping from the low $30 range to about $18 per share. But if you look at the stock price chart below, you can clearly see the drop off from early January, 2009 to March is very steep indeed. The trading volume graph below shows the level of panic about HPY value as terrified shareholders ran from the consequences of the data breach.

   This unfortunate episode marks a turning point in the history of the acquiring business. The new message from the industry is: "It's not all good news all the time anymore. There are real boogey men out there and the newest one is mass data breach risk and damages related to it." The message back from the stock market is: "We don't know what mass data breach risk is. We donÕt know what it costs. And we don't like it."
   In its first quarter 2009 statements, Heartland accrued $12.6 million in charges related to the breach, and stated that it does not expect more costs, but can't be sure. Therein lies the difficulty with this whole issue: uncertainty. If there's one thing the financial community hates, it's uncertainty. The stock market won't tolerate uncertainty, particularly when the results are as potentially catastrophic as they are with PCI data breaches. $12.6 million is a lot of money, but for Heartland it's not the end of the world. The problem is that no one is sure that's the final amount and no one is sure this can't happen again. Proving that a company doesn't have data breach risk is impossible. Once a data breach occurs, investors can't view the company the same way again. It's tainted in investorÕs minds as being riskier than what they had imagined, and therefore should have a lower value and share price than before. Companies with that level of uncertainty around earnings don't get premium valuations no matter what industry they are in.
   The very nature of the Heartland breach makes the point. The company had some kind of malware resident on their systems for a period of time copying information to another destination undetected. For how long? Not sure. How many card numbers were taken? Don't know exactly. What are the damages? Still uncalculated. Can this happen again? Of course. In fact it might be happening right now at Heartland or some other company in the industry completely undetected. One industry executive managing data breach risk told me his systems were under attack hundreds of thousands of times a month. While IT staffs throughout the industry are no doubt working overtime to make sure another breach doesn't occur, my guess is that Heartland's staff was working overtime before the incident trying to prevent it. It's impossible to say whether a breach will happen again, when, and what the magnitude of a future breach might be. Compliance with PCI rules promulgated by card associations is good, but not good enough. Rule-making bodies are responding to initiatives by cyber criminals, not leading them— they're by definition in a defensive posture on this issue. IT managers throughout the industry are discovering data breach holes because cyber terrorists reveal where they are. (NB: In that sense, the cyber criminals are useful and may put themselves out of business assuming there's a limited number of ways to breach processing systems. But again, who knows if the ways to get in are limited or not?).
Investors will now discount Heartland's value taking into account the unknown cost and likelihood of another breach. No matter what happens from here, Heartland, or any company with mass data breach liability, will be considered a riskier investment than it was before the breach occurred. That means Heartland won't have the same trading multiple it had before the incident.Ever.
   This happened to another company, Card Systems, about four years ago. In that case, the company had kept confidential consumer information it should not have retained and a hacker got hold of it. Since that was a private company, there was no stock market damage but the investors were wiped out when the company was sold to Pay By Touch. The data breach was estimated at 40 million card numbers in that case. That breach was more preventable and more detectable than the Heartland breach which involved a sleeper form of software designed to be undetectable. Clearly one of the issues here is that cybercriminals are becoming more sophisticated and clever about what they do. There's every reason to believe they will improve their techniques and methods over time.
   The Card Systems and Heartland experiences are so financially brutal and visible they will affect the valuation of other players in the market. Investors thinking of buying into the processing/acquiring business are going to do their due diligence work, see Heartland's record and downwardly re-evaluate their sense of what companies in our industry are worth relative to historical valuations. Every player with mass data breach risk will face this issue. It's an open question whether an entity with mass data breach risk can even be sold today.
   Smaller, marginal players handling PCI risk will attempt to offload that risk on to larger players who already have it. Larger processors who currently have mass data breach risk in a big way (First Data, Global, etc.) will continue to have it, because there's no way to transfer it to someone else. That means the cyber terrorists will have fewer (but probably better protected and monitored) targets to aim for. Somebody big has to handle mass data breach risk, so that when an event occurs, it's cushioned by the balance sheet of a large and probably diversified player. (Either that or there will need to be legislation capping the liability for a mass data breach costs and damages.) The industry as a whole will be better off if the issue is managed by large players with large budgets and monitoring staffs capable of winning the war with cybercriminals. Maybe that will frustrate them by raising the bar so high they will give up and go away. Or, maybe not. Only time will tell. I don't think the stock market will wait around to find out if mass data breach risk is gone or not. Investors want proof.
   The bottom line of this episode is that the stock market is no longer a viable destination for acquirers with significant mass data breach risk, until the issue permanently and verifiably goes away. Stock market valuations are no longer applicable to our industry. Heartland used to trade at a multiple of 11 times EBITDA, and now trades at 3.5. Anyone growing an acquiring business today has to measure the cost of building that business relative to private company multiples, which are significantly lower than public multiples. Anyone making acquisitions in the business today has to do likewise. It won't work to buy high and sell higher anymore. Those halcyon days are for the history books. Mass data breach and the uncertainty it brings have destroyed that dream for quite a while to come.
   There's still value in this business, but it will take a new recipe to realize it fully. Whoever can figure out how to grow cash flows in the acquiring space without taking mass data breach risk will achieve the maximum valuation possible in the future. The company that emerges as a profitable, efficient merchant services company without exposure to potentially unquantifiable, unpredictable, catastrophic risks will be the winner in the next round of the industry's development.