Risk and Compliance Resource Center

Is the latest Global Payments breach just one of many out there?

Share this article:
Avivah Litan
Avivah Litan
I just got off the Global Payments call where they talked about their breach. Their breach seems to be very different than the one Visa issued an alert on. Information presented on the timing windows were different and not reconciled during the Global Payments call (Visa reported the exposure window was January 21, 2012 – February 25, 2012, and Global Payments only reported they self-detected the breach early March), the data that may have been stolen was different (Visa reported Track 1 and 2; Global Payment reported only Track 2), and the reports on fraud (Global Payments said they had not heard about fraud on the stolen cards) are different.

Sounds like there's a lot more going on out there than the payment industry and law enforcement have nailed down and are prepared to talk about.

In the meantime, Global Payments – which was PCI compliant at the time of its breach – is no longer PCI compliant, and was delisted by Visa. Yet they continue to process payments.

What's the takeaway on PCI? The same one that's been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.


This article was originally published on the Gartner website, and is used by permission. Avivah Litan is a vice president and distinguished analyst in Gartner Research. Her area of expertise includes fraud detection and prevention applications, authentication, adaptive access management, identity proofing, identity theft, and other areas of information security and risk. She also covers the PCI compliance program and the security aspects of payment systems.
Share this article:
close

Next Article in Risk and Compliance Resource Center

Sign up to our newsletters

More in Risk and Compliance Resource Center

Why the world is not ready to share sensitive information

Why the world is not ready to share ...

Is there such a thing as an exchange of secure information in an insecure world?

Data breach numbers don't lie: How organizations can protect against accidental data loss

Data breach numbers don't lie: How organizations can ...

To effectively mitigate mobile risk, organizations should employ the same content security capabilities, and ideally leverage the same content policies and rules in mobile environments.

Understanding parallax and convergence to improve security

Understanding parallax and convergence to improve security

To address today's threats, companies require a high degree of convergent perspective, information expertise, and coordination between personnel and groups.