Processing System Intrusion	12 Months Ended
May 31, 2012
Processing System Intrusion [Abstract]
Processing System Intrusion	PROCESSING SYSTEM INTRUSION In early March of this year, we identified and self-reported unauthorized access into a limited portion of our North America card processing system. As a result of this event, certain card networks removed us from their list of Payment Card Industry Data Security Standard, referred to as PCI DSS, compliant service providers. We have hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI DSS compliance of our systems. Once that review is complete and we conclude the required remediation, we will work closely with the networks to return to the lists of PCI DSS compliant service providers as quickly as possible. We continue to sign new merchants and process transactions around the world for all card networks. The investigation also revealed potential unauthorized access to servers containing personal information collected from a subset of merchant applicants. It is unclear whether any such information was exported; however, we notified potentially-affected individuals and made available credit monitoring and identity protection insurance at no cost to the individual. For the year ended May 31, 2012, we have recorded $84.4 million of expense associated with this incident. Of this amount, $19.0 million represents the costs we have incurred through May 31, 2012 for legal fees, fees of consultants and other professional advisors engaged to conduct the investigation and various other costs associated with the investigation and remediation. An additional $67.4 million represents an accrual of our estimate of fraud losses, fines and other charges that will be imposed upon us by the card networks. We have also recorded $2.0 million of insurance recoveries based on claims submitted to date as discussed below. We based our estimate of fraud losses, fines and other charges on our understanding of the rules and operating regulations published by the networks and preliminary settlement discussions with the networks. As such, the final settlement amounts and our ultimate costs associated with fraud losses, fines and other charges that will be imposed by the networks could differ from the amount we have accrued as of May 31, 2012. Any such difference could have a material impact on our results of operations in the period in which the associated claims are actually settled, or in the period in which we receive additional information that would cause us to refine our estimate of losses and adjust our accrual. Currently we do not have sufficient information to estimate the amount or range of additional possible loss. A class action arising out of the data breach we experienced earlier this year was filed against us on April 4, 2012 by Natalie Willingham (individually and on behalf of a putative nationwide class). Specifically, Ms. Willingham alleged that the Company failed to maintain reasonable and adequate procedures to protect her personally identifiable information (“PII”) which she claims resulted in two fraudulent charges on her credit card in March 2012. Further, Ms. Willingham asserted that the Company failed to timely notify the public of the data breach. Based on these allegations, Ms. Willingham asserted claims for negligence, violation of the Federal Stored Communications Act, willful violation of the Fair Credit Reporting Act, negligent violation of the Fair Credit Reporting Act, violation of Georgia's Unfair and Deceptive Trade Practices Act, negligence per se, breach of third-party beneficiary contract, and breach of implied contract. Plaintiffs seek an unspecified amount of damages and injunctive relief. The suit was filed in the United States District Court for the Northern District of Georgia. On May 14, 2012, the Company filed a motion to dismiss. On July 11, 2012, Plaintiff filed a motion for leave to amend her complaint, and on July 16, 2012, the Court granted that motion. Plaintiff filed an amended complaint on July 16, 2012. The amended complaint does not add any new causes of action. Instead, it adds two new named Plaintiffs (Nadine and Robert Hielscher) and drops Plaintiffs' claim for negligence per se. The Company's deadline for responding to the amended complaint is August 2, 2012. At this stage of the proceedings we cannot predict the outcome of the matter, but we intend to defend the matter vigorously. We have not recorded a loss accrual related to this matter because we have not determined that a loss is probable. Currently we do not have sufficient information to estimate the amount or range of possible loss associated with this matter. We are insured under policies that we believe may provide coverage of certain costs associated with this event. The policies provide a total of $30.0 million in policy limits and contain various sub-limits of liability and other terms, conditions and limitations, including a $1.0 million deductible per claim. The insurers have been advised of the circumstances surrounding our recent event. As of May 31, 2012 we have recorded $2.0 million in insurance recoveries based on claims submitted to date. We expect to receive additional recoveries as we receive assessments from the networks and submit additional claims. We will record receivables for such recoveries in the periods in which we determine such recovery is probable and the amount can be reasonably estimated. We expect to incur additional costs associated with investigation, remediation and demonstrating PCI DSS compliance and for the credit monitoring and identity protection insurance we are providing to potentially-affected individuals. We will expense such costs as they are incurred in accordance with our accounting policies for such costs. We currently anticipate that such additional costs may be material to our fiscal 2013 results of operations.

PROCESSING SYSTEM INTRUSION

In early March of this year, we identified and self-reported unauthorized access into a limited portion of our North America card processing system.

As a result of this event, certain card networks removed us from their list of Payment Card Industry Data Security Standard, referred to as PCI DSS, compliant service providers. We have hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI DSS compliance of our systems. Once that review is complete and we conclude the required remediation, we will work closely with the networks to return to the lists of PCI DSS compliant service providers as quickly as possible. We continue to sign new merchants and process transactions around the world for all card networks.

The investigation also revealed potential unauthorized access to servers containing personal information collected from a subset of merchant applicants. It is unclear whether any such information was exported; however, we notified potentially-affected individuals and made available credit monitoring and identity protection insurance at no cost to the individual.

For the year ended May 31, 2012, we have recorded $84.4 million of expense associated with this incident. Of this amount, $19.0 million represents the costs we have incurred through May 31, 2012 for legal fees, fees of consultants and other professional advisors engaged to conduct the investigation and various other costs associated with the investigation and remediation. An additional $67.4 million represents an accrual of our estimate of fraud losses, fines and other charges that will be imposed upon us by the card networks. We have also recorded $2.0 million of insurance recoveries based on claims submitted to date as discussed below. We based our estimate of fraud losses, fines and other charges on our understanding of the rules and operating regulations published by the networks and preliminary settlement discussions with the networks. As such, the final settlement amounts and our ultimate costs associated with fraud losses, fines and other charges that will be imposed by the networks could differ from the amount we have accrued as of May 31, 2012. Any such difference could have a material impact on our results of operations in the period in which the associated claims are actually settled, or in the period in which we receive additional information that would cause us to refine our estimate of losses and adjust our accrual. Currently we do not have sufficient information to estimate the amount or range of additional possible loss.

A class action arising out of the data breach we experienced earlier this year was filed against us on April 4, 2012 by Natalie Willingham (individually and on behalf of a putative nationwide class). Specifically, Ms. Willingham alleged that the Company failed to maintain reasonable and adequate procedures to protect her personally identifiable information (“PII”) which she claims resulted in two fraudulent charges on her credit card in March 2012. Further, Ms. Willingham asserted that the Company failed to timely notify the public of the data breach. Based on these allegations, Ms. Willingham asserted claims for negligence, violation of the Federal Stored Communications Act, willful violation of the Fair Credit Reporting Act, negligent violation of the Fair Credit Reporting Act, violation of Georgia's Unfair and Deceptive Trade Practices Act, negligence per se, breach of third-party beneficiary contract, and breach of implied contract. Plaintiffs seek an unspecified amount of damages and injunctive relief. The suit was filed in the United States District Court for the Northern District of Georgia. On May 14, 2012, the Company filed a motion to dismiss. On July 11, 2012, Plaintiff filed a motion for leave to amend her complaint, and on July 16, 2012, the Court granted that motion. Plaintiff filed an amended complaint on July 16, 2012. The amended complaint does not add any new causes of action. Instead, it adds two new named Plaintiffs (Nadine and Robert Hielscher) and drops Plaintiffs' claim for negligence per se. The Company's deadline for responding to the amended complaint is August 2, 2012. At this stage of the proceedings we cannot predict the outcome of the matter, but we intend to defend the matter vigorously. We have not recorded a loss accrual related to this matter because we have not determined that a loss is probable. Currently we do not have sufficient information to estimate the amount or range of possible loss associated with this matter.

We are insured under policies that we believe may provide coverage of certain costs associated with this event. The policies provide a total of $30.0 million in policy limits and contain various sub-limits of liability and other terms, conditions and limitations, including a $1.0 million deductible per claim. The insurers have been advised of the circumstances surrounding our recent event. As of May 31, 2012 we have recorded $2.0 million in insurance recoveries based on claims submitted to date. We expect to receive additional recoveries as we receive assessments from the networks and submit additional claims. We will record receivables for such recoveries in the periods in which we determine such recovery is probable and the amount can be reasonably estimated.

We expect to incur additional costs associated with investigation, remediation and demonstrating PCI DSS compliance and for the credit monitoring and identity protection insurance we are providing to potentially-affected individuals. We will expense such costs as they are incurred in accordance with our accounting policies for such costs. We currently anticipate that such additional costs may be material to our fiscal 2013 results of operations.