Visa confirms another payment processor breach
Visa and MasterCard are notifying banks about accounts impacted by a "major compromise," unrelated to the massive Heartland Payment Systems incident announced last month, according to a number of credit unions and banking associations.
The hackers apparently breached the processor in the same way they infiltrated Heartland -- by placing malicious software on the network, according to an alert from the Pennsylvania Credit Union Association.
Visa hosted a conference call on Feb. 12 to notify member banks about the breach, which affected transactions made from February to August 2008, the association said. The incident involves account numbers and expiration dates, but no track data was compromised; therefore the attackers would be unable to make counterfeit cards.
The size of the breach appears significant but fewer cards were affected than in the Heartland case, the Community Bankers Association of Illinois said in its own announcement. That breach potentially exposed as many as 100 million accounts.
The victim in this case appears to be a provider that processes online transactions, said David Shettler, vice president and CTO of Open Security Foundation, a nonprofit that researches data breaches.
He told SCMagazineUS.com on Monday that the group has been receiving tips about the breach since Feb. 12, but few details have been confirmed.
"What concerns me is that Visa and MasterCard, they clearly know who it is," Shettler said. "That just won't say anything because the processor hasn't come clean. The sort of feel it gives people is that Visa and MasterCard are covering for some unnamed organization."
Visa and MasterCard began notifying card issuers about affected accounts on Feb. 9 and 13, respectively.
It is unclear whether this processor was compliant with payment industry guidelines, the association said. Heartland was deemed Payment Card Industry Data Security Standard-certified (PCI DSS) when it announced its breach.
This marks the third data-loss incident to impact payment processors in the past three months. In December, RBS WorldPay disclosed a breach that affected some 1.5 million card users. Shettler said cybercriminals are zoning in on these entities because they deal with the most amount of information.
"You can crack into merchants, but that's a limited scope," he said. "If I were the payment card industry, namely Visa and MasterCard, I'd be concerned."
Visa said it was working with business and financial institutions to improve security measures.
“Visa Inc. is aware that a processor has experienced a compromise of payment card account information from its systems," the company said in a statement on Monday. "It's essential that every business that handles payment card information adhere to the highest data protection standards to protect the security and privacy of their customers' financial information."
A representative from MasterCard could not be reached for comment.