Visa confirms another payment processor breach

Share this article:
Another payment processor has fallen victim to hackers, Visa confirmed on Monday.

Visa and MasterCard are notifying banks about accounts impacted by a "major compromise," unrelated to the massive Heartland Payment Systems incident announced last month, according to a number of credit unions and banking associations.

The hackers apparently breached the processor in the same way they infiltrated Heartland -- by placing malicious software on the network, according to an alert from the Pennsylvania Credit Union Association.

Visa hosted a conference call on Feb. 12 to notify member banks about the breach, which affected transactions made from February to August 2008, the association said. The incident involves account numbers and expiration dates, but no track data was compromised; therefore the attackers would be unable to make counterfeit cards.

The size of the breach appears significant but fewer cards were affected than in the Heartland case, the Community Bankers Association of Illinois said in its own announcement. That breach potentially exposed as many as 100 million accounts.

The victim in this case appears to be a provider that processes online transactions, said David Shettler, vice president and CTO of Open Security Foundation, a nonprofit that researches data breaches.

He told SCMagazineUS.com on Monday that the group has been receiving tips about the breach since Feb. 12, but few details have been confirmed.

"What concerns me is that Visa and MasterCard, they clearly know who it is," Shettler said. "That just won't say anything because the processor hasn't come clean. The sort of feel it gives people is that Visa and MasterCard are covering for some unnamed organization."

Visa and MasterCard began notifying card issuers about affected accounts on Feb. 9 and 13, respectively.

It is unclear whether this processor was compliant with payment industry guidelines, the association said. Heartland was deemed Payment Card Industry Data Security Standard-certified (PCI DSS) when it announced its breach.

This marks the third data-loss incident to impact payment processors in the past three months. In December, RBS WorldPay disclosed a breach that affected some 1.5 million card users. Shettler said cybercriminals are zoning in on these entities because they deal with the most amount of information.

"You can crack into merchants, but that's a limited scope," he said. "If I were the payment card industry, namely Visa and MasterCard, I'd be concerned."

Visa said it was working with business and financial institutions to improve security measures.

“Visa Inc. is aware that a processor has experienced a compromise of payment card account information from its systems," the company said in a statement on Monday. "It's essential that every business that handles payment card information adhere to the highest data protection standards to protect the security and privacy of their customers' financial information."

A representative from MasterCard could not be reached for comment.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.