Visa confirms another payment processor breach

Share this article:
Another payment processor has fallen victim to hackers, Visa confirmed on Monday.

Visa and MasterCard are notifying banks about accounts impacted by a "major compromise," unrelated to the massive Heartland Payment Systems incident announced last month, according to a number of credit unions and banking associations.

The hackers apparently breached the processor in the same way they infiltrated Heartland -- by placing malicious software on the network, according to an alert from the Pennsylvania Credit Union Association.

Visa hosted a conference call on Feb. 12 to notify member banks about the breach, which affected transactions made from February to August 2008, the association said. The incident involves account numbers and expiration dates, but no track data was compromised; therefore the attackers would be unable to make counterfeit cards.

The size of the breach appears significant but fewer cards were affected than in the Heartland case, the Community Bankers Association of Illinois said in its own announcement. That breach potentially exposed as many as 100 million accounts.

The victim in this case appears to be a provider that processes online transactions, said David Shettler, vice president and CTO of Open Security Foundation, a nonprofit that researches data breaches.

He told SCMagazineUS.com on Monday that the group has been receiving tips about the breach since Feb. 12, but few details have been confirmed.

"What concerns me is that Visa and MasterCard, they clearly know who it is," Shettler said. "That just won't say anything because the processor hasn't come clean. The sort of feel it gives people is that Visa and MasterCard are covering for some unnamed organization."

Visa and MasterCard began notifying card issuers about affected accounts on Feb. 9 and 13, respectively.

It is unclear whether this processor was compliant with payment industry guidelines, the association said. Heartland was deemed Payment Card Industry Data Security Standard-certified (PCI DSS) when it announced its breach.

This marks the third data-loss incident to impact payment processors in the past three months. In December, RBS WorldPay disclosed a breach that affected some 1.5 million card users. Shettler said cybercriminals are zoning in on these entities because they deal with the most amount of information.

"You can crack into merchants, but that's a limited scope," he said. "If I were the payment card industry, namely Visa and MasterCard, I'd be concerned."

Visa said it was working with business and financial institutions to improve security measures.

“Visa Inc. is aware that a processor has experienced a compromise of payment card account information from its systems," the company said in a statement on Monday. "It's essential that every business that handles payment card information adhere to the highest data protection standards to protect the security and privacy of their customers' financial information."

A representative from MasterCard could not be reached for comment.
Share this article:

Sign up to our newsletters

More in News

Feds warn health care sector of looming cyber attacks

The FBI believes that the lax security systems that the health care industry has in place make it a prime target for cyber attacks.

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.