Visa didn't waste any time this weekend pulling breached credit card processor -- Atlanta-based Global Payments -- from its list of service providers compliant with payment industry guidelines.
"Upon reflection, this was not unexpected, and we are focused on remediation efforts for full and timely PCI (Payment Card Industry standard) reinstatement," Global Payments Chairman and CEO Paul Garcia told investors during a conference call on Monday morning.
On Friday, Global Payments confirmed that it was the victim of a data breach affecting cards from all of the major brands, including Visa and MasterCard. Two days later, the company said fewer than 1.5 million card numbers were compromised, down from some earlier estimates that had placed the number closer to 10 million.
Garcia told investors that the breach, which was discovered roughly three weeks ago, occurred on an unspecified segment of the company's North American processing system. The hackers accessed only magnetic stripe-encoded Track 2 data, which is up to 40 characters in length and includes a card's primary account number, expiration date, service code, PIN and CVV number. Other information, such as names, addresses and Social Security numbers, were not exposed.
The incident, which was "confined," did not involve the systems of any customers or partners, Garcia added.
"We had security measures in place that caught it," he said. "It was our systems. It had nothing to do with merchants."
Garcia's account of the breach, first reported by security journalist Brian Krebs in his Krebs on Security blog, runs counter to at least two other pieces of possible evidence.
The first is the chronology. PSCU, which provides financial services, such as bill payment solutions, to 680 credit unions, sent a security alert last week after being contacted by Visa. The alert, obtained by SCMagazine.com, reported the breach lasted from Jan. 21 and Feb. 25. If that is true, it would belie Garcia's statement that the incident was internally discovered three weeks ago.
The second is the entry point. Avivah Litah, vice president and distinguished analyst at Gartner, told SCMagazine.com on Friday that, based on what her sources in the payment industry told her, she is "95 percent" sure that the breach initiated at a taxi and parking garage company in New York City.
A spokesman for the city's Taxi and Limousine Commission, which licenses cabs, did not respond to a request for comment on Monday.
Garcia declined to discuss these specifics, such as a timeline of events, and he would not elaborate on how the hackers accessed the the network. He said the company is not aware of any fraud as a result of the breach, but that it would be responsible for paying for any replacement cards that are issued by banks.
The company said it is still processing transactions, despite being off Visa's approved list.
"What's the takeaway on PCI?" Litan asked on Monday in a blog post. "The same one that's been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit."
The card brand moved much faster removing Global Payments from the list than it did when another processor, Heartland Payment Systems, announced a breach of some 100 million card numbers in January 2009. In that case, Visa expelled Heartland from the list about two months later, but Heartland re-validated compliance within roughly six weeks.
In the case of Heartland, Visa told merchants that, despite the processor being temporarily removed from the list, they faced no fines for continuing to do business with it.
