環匯 (GPN) 2012 Q3 法說會逐字稿

Ladies and gentlemen, thank you for standing by, and welcome to the Global Payments conference call. At this time, all participants are in a listen-only mode. Later we will open the lines for questions-and-answers. (Operator Instructions). As a reminder, today's conference will be recorded. At this time, I would like to turn the conference over to your host, Senior Vice President of Strategic Planning and Investor Relations, Jane Elliott, please go ahead.

Good morning, and welcome to Global Payments conference call to discuss the unauthorized access into a portion of our processing system. We are now also going to discuss fiscal 2012 third-quarter earnings, and this call replaces the conference call previously scheduled for April 4. We will pause after our prepared remarks on the security incident and take your questions, resuming with our prepared remarks on earnings about halfway through the call. Our call today is scheduled for one hour, and joining me on the call are Paul Garcia, Chairman and CEO, Jeff Sloan, President, and David Mangum, Senior Executive Vice President and CFO.

Before we begin, I'd like to remind you that some of the comments made by management during the conference call contain forward-looking statements that are subject to risks and uncertainties that could cause actual results to vary, which are discussed in our public releases, including our most recent Form 10-K. We caution you not to put undue reliance on forward-looking statements. Forward-looking statements made during this call speak only as of the date of this call.

In addition, some of the comments made on this call may refer to certain measures such as cash earnings, which are not in accordance with GAAP. Management believes these results more clearly reflect comparative operating performance. For a full reconciliation of cash earnings to GAAP results, in accordance with Regulation G, please see our press release furnished as an exhibit to our Form 8-K this morning, dated April 2, 2012 which may be located under the investor relations area on our website, www.GlobalPaymentsInc.com. Now, I would like to introduce Paul Garcia. Paul?

Thanks Jane, and good morning, everyone. In regard to the security incident, I am very pleased to inform you that we are making significant progress in defining and rectifying the event. The Company believes that fewer than 1.5 million card numbers may have been stolen, and that the theft is confined to our North American processing system. Importantly, the investigation to date has revealed that the theft involved track two card data only. We do not believe that track one card data was taken, or that cardholder names, addresses, Social Security numbers, or consumer banking information was obtained by the criminals.

In addition, based on the forensic analysis to date, network monitoring and additional security measures, we believe that this incident is contained. Visa has removed us from the PCI compliance list, pending the results and resolution of our work. Upon reflection, this was not unexpected, and we are focused on the remediation measures necessary for full and timely PCI reinstatement. It goes without saying that we are providing uninterrupted service 24 hours a day to our customers around the world, as we speak.

I cannot stress more vehemently that this does not involve our merchants, our sales partners, or their relationships with their customers. Neither merchant systems nor point-of-sale devices were involved in any way. It is also important to emphasize that consumers are completely protected if any exposure were to arise. The card-issuing institutions have well-established and highly effective procedures to protect their customers. Consumers, as always, are encouraged to be vigilant, by reviewing their statements and reporting any suspicious activity to their card-issuing institution. To that end, we've established a consumer website for inquiries, which will be operational later this morning. The website is www.2012InfoSecurityUpdate.com. Operator, we will now take questions regarding the security incident.

(Operator Instructions). Your first question comes from Jim Kissane with Credit Suisse.

Paul, how quickly do you think you'll be back on Visa's approved processor list? Just a follow-up, you're calling it unauthorized access as opposed to a breach? What is the fine line between unauthorized access and a breach? If you can provide a little insight there. Thank you.

Okay Jim. In terms of when would we get our RoC back, our report of compliance, I would say that prior to the event, we can say breach, prior to the breach, I think they're synonymous, is really the answer to your second question. Prior to the breach, we were -- we received a report of compliance. And then after the breach, we were removed. I think it is a little bit like a Joseph Heller novel, Catch-22. You are compliant prior, if something happens, by definition, you are no longer. And therefore, that is not totally unexpected. The important thing is we are open for business and processing transactions.

Now how quickly can we get back? That is something we are absolutely focused on. And we're working around the clock, literally. And we are working collaboratively with all the associations to get that RoC back. And quite frankly, we have every expectation that will happen as expeditiously as possible. But this is somewhat nascent, in that -- remember this was self-discovered, self-reported. No one came to us, no one said there is records of all kinds of incidents out there with cardholders reporting incidents and banks having concern. None of that happened. We found this, we reported it within hours. We reported it.

And this investigation is still continuing. So there are parts of this, Jim, that we still need to resolve and button up, although it's absolutely contained, to the best of our ability and opinion. It is absolutely contained. We have some work to do to get with the association to get this RoC back. So long-windy answer to saying it's going to be as soon as possible, and we are working very diligently. But I think it's going to take a little time.

Jim, this is David. Maybe a little more color on banding. We can't put a timeframe specifically on this. What we need to do is complete the investigation portion of this process, and then identify and perform any required remediations at that point, and we will do just that, that's our plan.

Are you aware of any fraudulent transactions on the accounts where the data has been stolen?

No, Jim, we are not.

Thank you very much.

Your next question comes from Glenn Greene with Oppenheimer.

Thank you, good morning. I guess I just wanted to get some clarity on the timeline of when you discovered this. It sounded like from your press release from Friday, it was early March, and there were some indications that the breach actually happened late January? Would just be helpful to get some clarity around the timing of events.

Okay. So a couple things, Glenn. First of all, this is an ongoing federal investigation. They're trying to get the bad guys here. So I can't be terribly specific, and I will tell you, there's a lot of rumor and innuendo out there, which is not helpful to anyone, and most of it, incredibly inaccurate.

But I can tell you this. Approximately three weeks ago, we identified that cardholder data may have been taken. Literally within hours of that discovery, we contacted federal law enforcement and the card associations. So we jumped on this instantly. Now in terms of other timelines, I just can not be specific, truly, about that.

Okay, and then in terms of the types of cards, was it Visa and MasterCard, or was it beyond that, other branded cards as well?

I think it is the major brands and pretty much in proportion to how they are used by the consumer.

Okay, I will leave it at that. Thank you.

Your next question comes from David Togut with Evercore Partners.

Can you give us a little bit more insight as to how much time you think it will take to actually rectify the issue?

David, I wish I could. And we clearly realize that is something we need to do as quickly as possible, and you can be assured that we are working very collaboratively with the associations. But quite frankly, they have every desire to have us button this up as quickly as possible too. So they're putting on the same end of the rope as we are. There have to make certain that every single thing that we say is fixed is fixed. They have to tick and tie that. That is not days, it's longer than that, regrettably. We don't think it's months, but we have work to do here. And I'll promise you this, we will keep you guys informed of this.

Great, and just as a quick follow-up. You said that none of GPN's merchants and none of those merchants' customers were affected. Does that suggest that the breach occurred through an ISO? If it's not your merchants or customers, where did the breach actually occur?

David, I am so glad you gave me a chance to answer that, because I want to really hit this hard. This was not a merchant breach, this was not an ISO breach. It has literally nothing to do with those guys, literally nothing to do with them. This was something that happened in a subset of our North American processing system. A handful of servers, as compared to significant numbers that we have, and after combing each of these, we had security measures in place that caught it. And now we're going back with a fine tooth comb with a number, I mean multiple forensic experts, leaders in the field, to go through every single aspect, every single server, every single piece of data, to make certain that we didn't miss anything. That's what I'm talking about, it's evolving.

But it was at our systems. It has nothing to do with the merchants, their relationship with their customers, our sales partners, financial institutions who do business with us. Nothing to do with them. Nothing, period, end of story. No more so than if they take US currency and the currency devalues or they accept a card brand, and they have a systemic issue. It has nothing to do with that.

Does this suggest you will have to step up R&D or system spending as a result?

Well, if the answer is, are we going to spend even more amount of money, quite frankly, on security, the answer is yes.

Okay, thank you very much.

Your next question comes from Julio Quinteros with Goldman Sachs.

I'm thinking more about the competitive response to this. So presumably in the ISO channel world, and in any other part of the world where you guys are actively competing, there's going to be a playbook out there that says you were breached. How do you keep your ISOs, especially the larger ones, from balking at this point? What guarantees do you have in contract terms that this was not some type of material adverse clause, where they could actually start considering looking at other merchant processor relationships at this point?

Julio, let me answer that, and I think Jeff Sloan wants to mention something as well. Firstly, I will tell you, I'm incredibly heartened by the competitors who, talking about people that you recognize who compete with us, who have given me every assurance that they will make certain that they don't do anything that would inappropriately take advantage of this situation. Quite frankly, I will tell you we all did the same when other occurrences have happened with other processors. I made those same assurances to those guys. We're all in this together, we're all in this together, all of us. The card issuers, the banks, the merchants, the acquirers, we are all in this together. And no one wants to try to capitalize on that. There might be rogues, but let me tell you, they are the outliers, and they are wrong.

Secondly, we've gotten similar responses from our customers. They said look, we know that we're going to get through this, we have a long relationship with your Company, we feel very good about everything you are doing, and we would like some more product now and again. That's the kind of business as usual comments you get, which quite frankly, are very heartening as well. Now, it doesn't say that I can guarantee there will be no fall-out here, because this is a significant thing we're working through. But so far, I will tell you that we are very, very encouraged by the response. Jeffrey?

I would just add on to what Paul said, Julio, by saying what he said a minute ago, which is there's absolutely nothing at our partner level, nothing at the ISO level with our bank referral partners, with VARs, or any other similar distribution partners that was impacted here. So what that really means, at the end of the day, is there's no need to replace, for example, point-of-sale equipment, or any way we operate with our partners. My experience, Julio, the thing that you tend to be most concerned about, in terms of disruption to our, or our partners' businesses is disturbances at the point-of-sale. Disturbances from an operating point of view. And while what happened is what it is, as Paul described, at the end of the day, the end point relationships between our partners and their merchants and the merchants and their customers was not impacted by what Paul has described. And I think that is probably the best way to think about how our partners have thought about it to date, that's how I view it, but that has also been my experience in having conversations with them through the weekend.

Okay, that's helpful. And then just any incremental expenses associated with this? Presumably, they will all be in fiscal 2013, since we only have one more quarter to go here in fiscal 2012?

Julio, this is David. When we can size it, we're in the early stage of the investigation, we will be back with what we have. We have to be able to size it, reasonably estimate it, any losses and expenses, anything we're doing right now relative to the investigation we are expensing as a period cost in Q4. We don't have an event to take a charge in Q3, so we will get back to you on that. And I think if we refer back to David Togut's question, any investment you would see will take itself into fiscal year 2013, I think that's part of the point of your question.

Great, that makes sense. Thanks.

Your next question comes from Bryan Keane with Deutsche Bank.

My first question, have you guys experienced anything like this? I'm sure in a smaller scale, in the Company's history?

The answer is no. We have not. That is some of the misinformation quite frankly. There was a rumor out there that we were aware of a data intrusion a year ago. The answer is no. This is the first incident, and we hope this is the last.

I think one of the answers, Bryan, is that this is an ongoing process. We get better and stronger every day. And I think one of the reasons we're getting assurances from our customers is they know that we will be even better at the end of this process. And that they'll be with someone who is very strong and very tested. So that is why it will take a while to get RoC, because we have to demonstrate all of that. So no, there was no other incident. If there were, quite frankly, we would have reported it.

And I assume the criminals probably try to attack multiple networks, and somehow they got through on GPN. Do you know exactly what it was that was the weakness on your side?

I would say this, that this speaks to the ongoing nature of the investigation. I don't think you can assume anything you just said, in the first part. I think that there is attacks that happen everyday against lots of people. And I think we have contained it, so you can be sure that we have all the necessary measures to protect ourselves, and that starts with, where do you think the intrusion happened? But I can't really be more specific, and I certainly can't speak to anything that is happening to anyone else as we speak.

Okay. And then last one for David, I assume a lot of these costs, we will have a separate broken out number, probably there will be some one-time charges I assume from this. And maybe some ongoing expense as well. I think that's what people are going to get at, just your thoughts there.

I think that's right, Bryan. We will call these out and make sure that they are clear to you. Again, just to sort of repeat what I said in answer to Julio's question, we can't right now reasonably estimate what the charges/losses might be, related to the incident. When we get to the point where we can reasonably estimate, we will record and accrue and disclose, so you are on exactly the right track. When we get to that point, we will be back to you guys.

Okay, thanks so much.

Your next question comes from Jason Kupferberg with Jefferies.

I just wanted to clarify the situation with Visa a little bit further. I know your press release yesterday said that you are still actively processing for all the brands. But you obviously are trying to get the RoC back there. So what exactly is the situation? Are you still able to process for Visa? Or do you have to wait to actually get the RoC back here?

Jason, there is two questions there. Number one is, are we processing transactions for Visa? The answer is absolutely, positively yes. Of course we are. We have millions of merchants around the world who are processing Visa transactions as we speak, will continue to process Visa transactions as we speak.

In terms of getting the RoC back, we're going to do that as expeditiously as humanly possible. And I think our merchants and our customers understand that this will make us even stronger. And if people were to leave and go to another processor, and God forbid something happened there, would they will go to another processor? PCI gets better and better and better. This will make us all better. This will help PCI be better. This will help us be better. This will make everybody more secure. We are all in this together.

And Visa, MasterCard, and the other brands absolutely understand that and we are working with them and they're working with us, and we are all trying to get ahead. What we shouldn't forget is these are thieves. These are bad guys. These are people who are working day and night to try to hurt all of us. And all of us together have to do our best to thwart them. That's what we are focused on.

So Jason, David. I'll add a little more color on that too. We're all of, a little over three weeks into this process. We have to complete the investigation portion of it, identify any things that require remediation and perform that remediation. We do expect to do just what Paul said, do that as expeditiously as possible, but we have to complete our work.

Okay. So in the meantime, what are the implications while you wait to get the RoC back?

Jason, I think that's an excellent question. I think it's unclear. I would say this. It does not, and nor would anyone suggest, that this would stop us from processing transactions. I think that what was mentioned earlier is true. It could give our partners some pause that they're doing business with somebody who experienced a breach. Regardless of whether or not there's a RoC involved, someone experienced a breach. And that's why we are working very, very, very hard on fixing all of that.

Jason, it's Jeff. I would just add that, as you know in our business, we have long-term relationships with customers, as David rightly said. As we continue our work, whatever needs to be remediated and done to Visa and the other networks' satisfaction, ultimately will be done. But these are long-term relationships with a lot of technical infrastructure around it. I think people understand what that means in terms of day-to-day operations. And for now, clearly through Friday and starting today around the world, it's business as usual.

Okay, very helpful. And into just sort of come back to the investigation and the remediation, which I understand you can't be precise in terms of how long this will take. It sounded like it is not days, it's not months, so people are going to say, okay maybe it's weeks, and you can debate how many weeks. But it would be resolution of that remediation over the next X number of weeks, for argument's sake? That will then allow you guys to reasonably estimate the charges and costs associated here? That's how we should be thinking about the sequence of events?

Jason, let me say this. Firstly, I think you said it extremely well. We understand there are two things hanging over us. Getting this RoC back and identifying the exact one-time charge associated with this. We are doing our very best to see both of those happen as quickly as possible, and I think it's still developing, still going on, there is still cost. David needs time to get his hands around all of that. But we are trying to do that as quickly as possible. If you push me, I would say maybe the RoC comes before the charge comes, probably in that order. But hopefully, it's as soon as possible.

Okay. Understood. Thanks a lot, guys. Good luck.

Your next question comes from Glenn Fodor with Morgan Stanley

Hello, everybody. Thanks for all of this color, it's great. Your confidence level that the 1.5 million account figure represents the upper end of the range, I know this is a moving target and it's variable, but that's a big difference from 10 and refreshing. But how can we kind of range-bound how much this could move here?

That's a great point. So you can be sure that we worked very hard on that. And we looked at every piece of data we could possibly look at, and then allowed ourselves some expansion. We are trying to do this in a way that puts our hands around it. We don't have complete clarity of information.

You have to come up with a number that we all believe is reasonable. We all believe this number to be a reasonable limit. Now, we obviously understand if this were to go beyond that, we would have to deal with that, and of course we would, but that is not our expectation. And it is because of a lot of work and effort that we came up with that. So we have a high degree of confidence in that number. If that were to change materially, of course, we would be out to you with that information.

You have a lot going on internally as far as platform consolidation and data center reshuffling. Could this event impact any aspects of your strategy there?

I would say the answer is no. This is what we're trying to do. We have almost 4,000 people at our Company. We have probably 100 who are focused on this and the rest of the people are running their businesses and signing up customers and operating their data facilities, et cetera.

It would be disingenuous to say that this wasn't distracting and that everyone in this room has clearly been working around-the-clock on this item, and quite frankly, will continue to. And that's going to be a little distracting and you can only do so much in one day. So it does mean that some hours we could have spent on product innovation, et cetera, we will push that off. But we are going to get back, focused on that as soon as we can, and the rest of the Company is already focused on it. So business as usual sounds a little trite, but we are doing to make that just exactly what that is, business as usual.

And then just last question. You said you made changes and there are still more changes to be made. Is that something where the networks will come in and help advise you on what needs to be done so you can fall back into compliance? That's basically my question. How much has been done already? Was it just to plug the leak and is it a whole lot more work to have the ongoing patch, if you will?

That's another excellent question, so Glenn, let me just say a couple things, which is not typical in these scenarios. Remember, we self-reported this. We determined it ourselves. No one came to us. And I think there is kind of a, that's great you guys did that, and that's the way these things should work. Now, how did they got in, in the first place? That's not a good thing. So we absolutely recognize that, and assume full responsibility for it.

Just detecting it early is a good thing, but it doesn't necessarily, it doesn't forgive us from trying to stop it altogether. So we're focused on that aspect of it. The associations are working collaboratively, they've been terrific to date. And they have forensic experts that are working collaboratively with us to get this done. And we will work arm-in-arm with them until it is resolved.

Thanks, everybody. Appreciate it.

At this time, I will now turn the call over to Paul Garcia for earnings commentary.

Thank you, operator. And let me say too, when we go to questions on the earnings, obviously we will continue to entertain questions on the data breach. So if you feel you want to ask some more of those, absolutely. We just wanted to get this out of here too, because as we said, we are running our business, we are pleased with our results, and we want to share them with you, and give you an opportunity to ask some questions about that as well.

Okay, so now for Q3. We did have a strong revenue and cash earnings per share performance in the Q, both resulting in 17% growth over prior Q3 to $534 million in revenue, and $0.83 of cash EPS. Our revenue this quarter also included a partial benefit from the three acquisitions we announced last quarter. These collectively added about 1 percentage point to total Company revenue growth, and these acquisitions are all on target financially for the quarter. Let me just remind you what those three were. The included the merchant business with more than 6,000 merchants from Alfa-Bank, increasing our footprint in Russia, it was HSBC's merchant acquiring business in Malta, consisting of about 4,000 merchants, and a portfolio of approximately 9,000 US e-commerce merchants from CyberSource.

For the third quarter, North America delivered revenue growth of 15%, driven largely by our US ISO channel, with continued solid performance from our gaming and direct businesses. Although Canadian transactions grew 6% on a transaction basis, Canada did not meet our internal expectations, and posted a revenue decline of about 5% in local currency, and that's primarily due to spread compression. Our international segment produced another very strong quarter, with revenue growth of 23%, fueled pretty much by all regions across Europe.

Asia's revenue grew at a somewhat slower rate, at 8%, in part due to an intentional exit from a major airline processing relationship. We exited that relationship. I am pleased to announce, very pleased to announce, and a lot of people been waiting for this, I'm very pleased to announce that we have received formal approval to process China UnionPay RMB transactions in much of Guangdong province. And, consistent with the manner in which China Union Pay defines its geographic regions. So it's not all of Guangdong, but it is cities like Guangzhou. This is a region with 80 million people, so this is probably covering 60 million of them. We continue to focus on expanding our RMB merchant-acquiring facilities to all of PRC, and we are making progress. For the current fiscal year, we anticipate Asia's revenue growth to be about 10%. I'll now turn it over to David. David?

Thank you, Paul. North America merchant services revenue growth of 15% was fueled by US transaction growth of 13%, and also the positive affect of the debit legislation changes. North America revenue growth was negatively affected by Canadian performance, and unfavorable Canadian foreign currency exchange rates. And as a result, North America cash operating income, or EBIT dollars, were down 1% for the third quarter over prior year. For fiscal 2012, our expectation for the US remains unchanged at mid-teens revenue growth. We now expect Canada revenue to be about flat to as much as 1% up over last year in local currency.

Our international segment delivered strong results. International cash operating margin increased to 37.2%, compared to 35% in the prior year. We continue to expect full-year revenue growth for fiscal 2012 in US dollars to be about 30%. For the quarter, we generated free cash flow of $56 million. This includes about $17 million in first-time cash distributions to our bank partners in Spain and Asia. Excluding these distributions, free cash flow would have been $73 million for the quarter. We define free cash flow as net operating cash flows, excluding the impact of settlement assets and obligations, less capital expenditures, and distributions to non-controlling interests. During the quarter, we spent $36 million on capital expenditures, a substantial portion of that on data center and network infrastructure initiatives. Our third-quarter tax rate, based on the face of the income statement, was about as expected, at about 28% on both a cash and GAAP basis. We continue to expect our full-year tax rates to be about 29%.

During the quarter, on a year-over-year basis, currency changes had a slightly unfavorable effect on each of GAAP and cash revenue and earnings, by about $5 million and $0.02 per share. We continue to believe the aggregate effect of currency will likely be about neutral to slightly positive to our earnings per share for fiscal 2012, compared to 2011, due to the general strengthening of the US dollar to date and our outlook for the rest of the year. Fluctuations in exchange rates and, in particular, rapid further strengthening of the US dollar could cause variances to our outlook.

In closing, we continue to expect seasonal improvement across our global markets, along with some incremental new business in our US card, gaming, and Greater Giving channels, to drive sequential benefits in our fourth quarter. And now, I'll turn the call back over to Paul.

Thank you, David. Based on our current outlook and assumptions, we continue to expect our annual fiscal 2012 revenue to be in the range of $2.15 billion to $2.2 billion, reflecting 16% to 18% growth, and our cash earnings per share to be in the range of $3.50 to $3.58, reflecting 14% to 16% growth over fiscal 2011. We now expect GAAP diluted earnings per share range of $3.10 to $3.18, representing 19% to 22% growth over the prior year, and reflecting planned cost savings initiatives in the fourth quarter. Excluding the impact of the debit legislation in our recent acquisitions, we plan to expand cash operating margins in our core business by as much as 50 basis points for the total Company for fiscal 2012. Operator, we will now go to questions.

(Operator Instructions). Your first question comes from David Koning with Robert W. Baird.

First of all, in North America, you mentioned EBIT was down just a bit year-over-year. I'm wondering if you can give us kind of the size of Durbin so that we can kind of get a thought of what maybe core EBIT was down, and then how you see that playing out? We have had a few, three or four good quarters of growth and now we've turned the other way. Maybe you can give us a little commentary on that.

David, this is David. Relative to the debit legislation, when we were together last quarter, we talked about it adding on the order of $40 million of revenue, and certain earnings. Then we incorporated that into the guidance. So I think what we can do for now is give you a little more color on that. We're not going to parse Durbin any further in terms of actual performance, and I'll come back to that again in a moment for a couple of interesting reasons. But I would tell you, Durbin is roughly on track. Probably a little ahead of the revenue side. But what has become very interesting is, we mentioned to you a couple times on the way to the actual implementation of Durbin and then even in that first quarter, that we thought it would be transitory, and we are indeed seeing evidence of that in the market as we speak.

Evidencing that, we have seen behaviors, even from some of our partners, that suggest that Durbin has its own influence in some ways that even maybe we didn't anticipate. For example, fees we have seen ISOs charge annually for certain months of the year, that occurred this quarter, were not repeated. And our suspicion of course is, that is in light of any debit legislation benefits, and it really shows the market still being -- our partners still being quite circumspect and making sure that all the proper economics are being returned to the proper places as part of this. So it's very difficult to even think about parsing the legislation at this point, so I think we'll stick with -- we incorporated it in the guidance last quarter. It is a little ahead, in and of itself, on the revenue line. But when you start looking at the overall market, I'm not certain we can even say that with absolute definity.

Okay, thanks. And then just on the EBIT side, do you expect declines to continue? And then quickly, on the breach, does that affect your ability to make acquisitions or buy back stock?

Right, so in order, I think that we expect EBIT growth in North America in Q4. We expect to see, our Q4 expectations obviously imply fairly typical seasonality, frankly, around the world, in the markets where we are used to seeing that. That would include US and Canada. So all in, we expect nice growth in Q4 in North America, obviously nice growth abroad in order to achieve the levels we are talking about, when you look at the math of the guidance for the fourth quarter.

Relative to capital planning, our priorities remain the same. While we work our way through the investigation -- and just go back to the earlier questions, we have to work our way to the investigation, work our way back through any of the remediation required on the RoC, since that's been a questions several times. That will take whatever time it takes. We can't define that right now. We will keep you posted as we go through the process.

So as we work our way through that, I think you may see us be a little bit more circumspect about the deployment of capital, and think about our resources. That does not mean that we are not open for business, not continuing the same path and the same priorities. But perhaps a little more circumspect about substantial outlays at any given time, and we will be back to you on that as things evolve.

Great, thank you.

Your next question comes from Tien-Tsin Huang with JPMorgan.

Just on Durbin, parsing through your answer to David's question, does that imply that the margins were little bit worse than you expected? I know it was running well ahead of what we had modeled. I'm just curious of it's just in the 20 basis point impact range, understanding that it is tough to parse through the details.

I think if you tried to isolate it, Tien-Tsin, you would say, if revenues are over-performing and it's coming from the ISO channel, by definition, the headwind is a little north of what one might have modeled.

Right, but still in that range? Are we talking about a significant difference, David?

No we are still in that range. And that's why, quite frankly, we're not going back and reparsing. What we said to you was the core business would expand its margins on the order of 50 basis points, excluding the three acquisitions, as well as the legislation. We're still on track for that. And we're still on track for the resulting net opportunity for expansion as well, and plus or minus a few basis points, no reason to parse that for you.

Okay, good. The Canada piece, the spread compression; a little bit worse than what we had expected. So what is driving that, is that just a competitive change going on there? Or is it perhaps tied to some of the regulation that's happening there? Just curious.

Tien-Tsin, this is Jeff. I will take a stab at Canada, and of course David can add as well. I would say that the spread compression continues. I think it is a very competitive market. We're actually relatively sanguine with our volume growth in Canada, as we believe that we are growing north of Canadian GDP, well north of it, as well as north of the organic rate of growth in the Visa and MasterCard volume and transaction counts in Canada. We have seen though, the spread that way, which is the genesis of Paul and David's commentary.

I believe that is a function of two things, Tien-Tsin. First, competition continues in Canada, so I think it is very competitive marketplace. Second, at the margin, the Canadian economy did not get as high as the US economy did in 2007 and 2008. It did not get as low as the US economy did an 2008 and 2009. But it has not recovered to the same extent that the US economic data has indicated that the United States has. So if you think about, Tien-Tsin, the richness of spread, a lot of that is in the small to mid-size business segment around the world, but including in Canada. That part has been impacted both by competition as well as by the factors about the Canadian economy that we are seeing. So we're pleased at the volume growth, but the spread compression more than offsets what we're seeing in terms of market share movements.

Okay. That makes sense. Thanks, Jeff. Just one more, if you don't mind, just on the breach, and then I'll jump off. Just 1.5 million cards, obviously pretty small versus what we saw at TJ Maxx and [Harlem]. I'm curious, is it fair to size the impact? And we look at those as case studies to help try and frame the impact? I don't know if it's a linear relationship or not, but it seems like it has got to be pretty small in relation to the other financial impacts that we saw those two cases. Is that fair?

Tien-Tsin, I have to tell you that we really can't tell you that is fair at this point. I think we have to continue to size the investments and all the things we have to do to remediate it. We don't think we would be coming back to say that it's more 1.5 million cards, but I don't think you can take a dollar cost on someone else and put it towards this. If anything, it could be much higher than that, because of the smaller number, but still the cost associated.

But I can say this. This is manageable. We will get through this. I would tell you that absolutely, positively. Now it might be bigger than we would like but we are going to get to this. It is a one-time charge, we will be better for it. We will get through this, and the sooner we can tell you, the better. That's what we are focused on.

Got it. It definitely does seem manageable. Appreciate it. Thank you.

Your next question comes from Ashwin Shirvaikar with Citibank. The question has been withdrawn. Your next question comes from Greg Smith with Sterne, Agee & Leach

Just back to Canada, if anything you can do or are you changing your strategy any? Is just still seems like this was kind of a pretty quick change in the spread compression.

Greg, it's Jeff. I'll answer that and David and Paul of course can comment as well. The first thing I would say is we continue to right-size the business in Canada. So we are taking expense actions to deal with the continued spread compression that we described a few minutes ago.

Number two, because the source of good spreads for us in any market, including Canada, is the small to mid-size business segment, we have put in place analytical programs to help us minimize attrition generally. But to minimize attrition, in particular, in the higher spread businesses, and really look at the lifetime value of customers in that market and around the world. So on the analytical side, those actions have been taken and should start to take effect this coming quarter.

We are also looking at a selective addition of sales personnel in those markets where we have a sustainable spread and defensible technology advantage, and we will make selective additional capital investments where appropriate. So I think our strategy has not changed in Canada. As I mentioned in Tien-Tsin's question, we're actually pleased with our volume performance relative to the market and our peers. But we just have to deal with the everyday reality of continued competition for spreads as well as the economic environment in the marketplace in which we operate.

Okay. And David, do you have the impact from currency on the revenues handy in Canada?

In Canada specifically? Greg, I don't know that we go country-by-country, but certainly, the Canadian dollar hasn't moved that much. So you can certainly work your way back to it. Hang on one second, and I'll see if I can give you some help there. I tell you what, I'll just get back to you, Greg, on that. We're not going to parse it by country. As you know, it was a negative impact but at the end of the day, not enormous. This really is about the reasons Jeff's describing.

Okay. And another question. Just on the data breach. So the issue with Visa and not being PCI compliant, you can process transactions, but are you precluded from signing new merchants up? What does it really mean?

Greg, this is Paul. The answer is, we are not precluded from signing up new merchants. We're literally signing them right now. We already had our day in Asia, and I can promise you, they signed a lot of merchants. So that is not part of this. I think Greg, this is, as I said, this Catch-22 reference I think is a fair one. The associations -- you had a breach, it's difficult to say you are compliant. So I think we have to remedy that.

But I wouldn't want to imply this is without teeth. This is not a good thing, not to have your RoC, and we are very focused on getting that reinstated. We take that very seriously. But it doesn't mean we can't process, and it doesn't mean that we can't sign merchants. Let me be very, very, very clear.

But at some point, if you are not compliant, what is the ramifications?

I would say, if you ask me to speculate, that a year from now we have major issues, I think that the associations have to protect themselves, but no one clearly is anticipating any of those.

Okay, I think that's pretty clear. And just one last one, maybe not the time to talk about this, but broadly throughout Europe, given some of the dislocation with banks there, have other opportunities popped up as far as potential acquisitions? Anything we may see on that front?

The answer is yes. So I thought David answered that acquisition question superbly, but I will say that we do have a pipeline; we are focused on it. We want to take a deep breath here to get through all of this right now. But we absolutely have some great opportunities, including some internationally. And just exactly what you said. So, stay tuned. We are hopeful.

Okay thanks. Good luck guys.

Your next question comes from Darrin Peller with Barclays. Our next question comes from Sanjay Sakhrani with KBW.

Just a quick question on Asia. I think the revenue guidance there also was a little tempered. Could you just talk about what specifically drove that?

Yes Sanjay, this is David. So for the quarter, we posted 8%, which is a little south of what we might have expected. I think we pointed out in Paul's prepared comments that we did intentionally exit a major merchant relationship in Asia. That was a regional airline for whom we were processing, with full indemnity from a bank partner. The indemnity expired, and we were unwilling to proceed without a reserve. So that took the edge off some of the growth, and it will again in Q4.

If you marry that to a couple of other thoughts, so we're looking at about 10% growth overall. Remember, we have had, on a full-year basis, the grow over challenges, particularly the last quarter, with the major merchant product launch. The nameless merchant from a year or so ago. So if you marry those together, you kind of get to this 10% level. I guess I would remind everyone on the call that a couple points of growth in Asia for this quarter, 8% versus a 10%, it is almost $700,000 of revenue inside of this company.

So all-in, plus or minus, we're about where we thought we were in Asia, it's probably a little minus. Your point is fair, and your question is absolutely fair. As we head into Q4, we're expecting a bit of an uptick in our DCC volumes, and indeed our volumes overall. We may do a couple of targeted repricings, as well. So we think we have Asia on track, but we really weren't surprised, but your question is fair. It is a little light of what we might hoped for, for Q3 and what we expected for Q3.

And Sanjay, let me add some color. This is Paul Garcia. The reality of Asia isn't that we generate a couple of million more in revenue per quarter one way or the other. The reality of Asia -- if it goes from 10 to 11 to 12 to 15, I will be very disappointed. Asia is all about getting the real opportunity mined in China, and this announcement about Guangdong and Guangzhou is huge for us. And it is going to take a while to materialize, but it is a very important flag planting.

Ditto with India. That's the other big market, and we're focused on expanding our presence there. So that is the real excitement and juice about Asia. And we are continuing to focus on delivering on that. And I am hopeful in a couple years, that is what we will be saying. We just have continued expansion in all these geographies.

I completely understand. Thanks. And then just one follow-up on the breach. I hate to beat the dead horse, but I want to make sure I understand this not-being Visa compliant issue. Is there any liability impact from a liability increase or anything like that? A financial impact related to that? And then also have you got any clarity from how MasterCard, on how they expect to respond? Thanks.

Sanjay, this is David. I think we will wrap up liability and hopefully one conversation in the future when we've completed the investigation when the how these pieces come together. We obviously don't know that right now, hence we can't quantify, can't reasonably estimate. And I guess just to be really painfully clear, this is not in our expectations for the year on a GAAP basis. We will get back to you on that when the time is right, and we will have to roll all of that up into one conversation at that time.

I would say clearly not being PCI compliant has financial liabilities, and that is part of the number that we will quantify eventually. And the sooner the better. On the MasterCard, the answer is what is MasterCard's expected? And there is other card brands here involved, too. I would say that it would not be unexpected to have MasterCard take similar action. We are working hand in glove with them, you can be sure. And their primary interest is to be very thoughtful and very thorough, and they're doing that.

Okay great, thank you.

Your next question comes from Dan Perlin with RBC.

I just have a few on the breach and one on the quarter. Can you confirm that the [bins] have been shut off for the 1.5 million cards? Or deactivated?

No. We can't. I think, Dan, I wouldn't really know how to answer that. I think that the card issuers typically deal with this in all manners of way. They look for any fraudulent activity, and it's very important to understand that, that does not necessarily translate. Having someone's number does not translate to that being a fraudulent transaction, it means they have access it. It does not mean it results in fraud activity or cards being issued or any of that, and we don't know that, that is developing. Of course, we're responsible for that, and we will absolutely stand tall and pay that.

But how the banks handle that -- really not banks necessarily, but how the card-issuing institutions handle that is really up to them. But I will tell you, that they have time-proven really thorough ways of doing it. Consumers regrettably have cards replaced all of the time, and it just kind of a matter of course in this industry. It's a dangerous world out there. But they do a superb job of doing this for the consumer; protecting the consumer completely. And we're going to play our role to make sure all of that works seamlessly.

Right and just to be clear, you're on the book for the replacement costs?

Absolutely, as we should be. We absolutely are on the hook for that, as we should be, and we stand tall to do that at any point. That is our obligation.

The act of processing a transaction as a non-PCI compliant acquire, typically means Visa and MasterCard are levying fines on you. Is that happening currently?

Dan? Were going to talk about liability all in one conversation when we can reasonably estimate it and size it. We will be back to you when we have that.

Can you remind us what the size of your insurance policy around all of this stuff is?

Dan, we have insurance in place for events like this, but we have to know exactly what the pieces and the parts are and calculate it against the actual policies and work with our providers and our partners, so when we have numbers we will get back to you.

All right. And then, in Canada, the transactions were strong, revenues were down. We're hearing that the ISO market in that region is heating up pretty significantly, and the trend would suggest that. Do you have any thoughts on that?

Dan, this is Jeff. I'll take that. We are pleased to have a number of our ISOs with us as partners in the Canadian market, and we're adding more, as we speak. So we think that is a good thing. We have been operating with a number of our partners up there for some time. So I don't think that is new. If you go back to what David and I talked about a few minutes ago, about what is going on in that marketplace, that is not driving the trends that we are seeing. Instead, it is just a very competitive market generally, augmented somewhat by a differential economic environment in terms of recovery, relative to what you see in the United States. But if you go back to what I mentioned, our volume growth, our transaction growth is good in that market. And if we can get more quality ISO partners out there, that is absolutely part of our plan.

But you think that with transaction growth, you can have incremental margins in that business, or are we going to have a similar problem to what we see in the US?

I think it is an order of magnitude different today in terms of the contribution of the ISOs in the Canadian marketplace versus what it is in the United States. We have a very large national business, for example, that we purchased a long time ago in Canada. So it is a little bit apples and oranges. But I would tell you, the way we think about it, Dan, as a tactical matter within the Company, is we welcome our partners to come up to Canada. So I'm not concerned about that issue in the near-term, nor do I think that is impacting the spreads that we described some time ago.

Okay, thank you.

Your next question comes from Chris Brendler with Stifel Nicolaus

On the breach front, I know it's still early, but is there any way that you can characterize in terms of where the breach occurred in your systems? Where that particular system was from a technology upgrade standpoint? I know you had the G2 data platform that you invested a lot in. Was that within G2 or is it outside G2? Was it a legacy system that was breached? Can you give us any color that front? Thanks.

Chris, let me clarify a couple things. Number one, remember that this was self-detected. So the loss prevention software we have in place that determine these types of intrusions actually worked. But it didn't work perfectly enough to stop them. So partly it worked, partly it didn't. And we are focusing on where that happened and remediating it, you can be sure that. We're not going to share any specific details on exactly, other than it is confined to North America, it is a number of servers based, and there's a massive number that were not implicated. That's all we can say on that. Partly, Chris, honestly this is an ongoing federal investigation, and we have got to let them do their work.

All right, I can understand that. So I guess in a related question, the North American operating margins down this quarter and with the security issues confined to North America, I'm wondering if you had any sense of, are we looking at a little lower margin in North America for the near-term as you address the security issues as well as what's going on in the marketplace? And if you could just give us a little more color, as to security issues on the North American margins. And also, I didn't catch if you have US transaction number and how the core business is doing in the US, it would also be helpful from a transaction count. Thanks.

Sure. So Chris, this is David. I will start where we were before. We're not in a position to quantify the impact of the incident. When we are, we will talk to you about it. Obviously, in Q4, with the new sales, the new merchants we're boarding for gaming, the uptick we see seasonally in Greater Giving. We are expecting EBIT and margins to tick up nicely in North America in Q4.

If you want to project forward, without quantifying, because we're not a position to do it, it is fair to say incremental investments in 2013 or something along those lines, once we're through our investigation through any remediation at all, revolves around anything we could quantify for you relative to the incident, many of our IT investments do indeed hit the North America merchant services income line. So it is fair to think about it in that way. But until we can quantify either of these, the impact of the intrusion, much less the ongoing investment levels, I cannot give you a great quantified answer. But from a color perspective, I think you're thinking about the geography of the income statement in the right way.

Right. And then on transactions, I saw you had 13% transaction growth in the US last quarter. Can you talk about how you caught that number for this quarter?

It was 13% again Chris.

Okay, great. Thank you very much.

At this time, we have reached the allotted time for questions and answers. I will now turn the call back to Paul Garcia for closing remarks.

Ladies and gentlemen, thank you very much, and we appreciate your interest in Global Payments.

Thank you. This concludes the conference. You may now disconnect.