Visa expels Global Payments following 1.5M-card breach

Share this article:

Global Payments, a major credit card processor based in Atlanta, is off Visa's approved list after it confirmed it was breached of some 1.5 million card numbers. The incident, however, is still shrouded in some mystery.

Visa didn't waste any time this weekend pulling breached credit card processor -- Atlanta-based Global Payments -- from its list of service providers compliant with payment industry guidelines.

"Upon reflection, this was not unexpected, and we are focused on remediation efforts for full and timely PCI (Payment Card Industry standard) reinstatement," Global Payments Chairman and CEO Paul Garcia told investors during a conference call on Monday morning.

On Friday, Global Payments confirmed that it was the victim of a data breach affecting cards from all of the major brands, including Visa and MasterCard. Two days later, the company said fewer than 1.5 million card numbers were compromised, down from some earlier estimates that had placed the number closer to 10 million.

Garcia told investors that the breach, which was discovered roughly three weeks ago, occurred on an unspecified segment of the company's North American processing system. The hackers accessed only magnetic stripe-encoded Track 2 data, which is up to 40 characters in length and includes a card's primary account number, expiration date, service code, PIN and CVV number. Other information, such as names, addresses and Social Security numbers, were not exposed.

The incident, which was "confined," did not involve the systems of any customers or partners, Garcia added.

"We had security measures in place that caught it," he said. "It was our systems. It had nothing to do with merchants."

Garcia's account of the breach, first reported by security journalist Brian Krebs in his Krebs on Security blog, runs counter to at least two other pieces of possible evidence.

The first is the chronology. PSCU, which provides financial services, such as bill payment solutions, to 680 credit unions, sent a security alert last week after being contacted by Visa. The alert, obtained by SCMagazine.com, reported the breach lasted from Jan. 21 and Feb. 25. If that is true, it would belie Garcia's statement that the incident was internally discovered three weeks ago.

The second is the entry point. Avivah Litah, vice president and distinguished analyst at Gartner, told SCMagazine.com on Friday that, based on what her sources in the payment industry told her, she is "95 percent" sure that the breach initiated at a taxi and parking garage company in New York City.

A spokesman for the city's Taxi and Limousine Commission, which licenses cabs, did not respond to a request for comment on Monday.

Garcia declined to discuss these specifics, such as a timeline of events, and he would not elaborate on how the hackers accessed the the network. He said the company is not aware of any fraud as a result of the breach, but that it would be responsible for paying for any replacement cards that are issued by banks.

The company said it is still processing transactions, despite being off Visa's approved list.

"What's the takeaway on PCI?" Litan asked on Monday in a blog post. "The same one that's been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit."

The card brand moved much faster removing Global Payments from the list than it did when another processor, Heartland Payment Systems, announced a breach of some 100 million card numbers in January 2009. In that case, Visa expelled Heartland from the list about two months later, but Heartland re-validated compliance within roughly six weeks.

In the case of Heartland, Visa told merchants that, despite the processor being temporarily removed from the list, they faced no fines for continuing to do business with it.

Share this article:

Sign up to our newsletters

More in News

Op Emmental spoofs bank sites, uses Android malware to maintain account access

Op Emmental spoofs bank sites, uses Android malware ...

On Tuesday, Trend Micro released a report detailing Operation Emmental, which targets victims in Austria, Switzerland, Sweden and Japan.

Goodwill investigates compromise of credit, debit card info

Credit card and debit card data may have been compromised at several Goodwill locations around the country.

Vice.com hacked, possibly The Wall Street Journal website too

Vice.com hacked, possibly The Wall Street Journal website ...

A reported Russian hacker group known as W0rm tweeted on Monday that it had hacked Vice.com and The Wall Street Journal website.