Credit Card Data Breach Involves All Major Brands

NEW YORK (CNNMoney) — A data breach at a payments processing firm has
potentially compromised credit and debit card information from all of
the major card brands.

Global Payments, a company that processes card transactions,
confirmed late Friday that “card data may have been accessed.” It says
it discovered the intrusion in early March and “promptly” notified
others in the industry.

Global Payments did not say how many accounts were affected, or what
kind of information was compromised. A U.S. Secret Service spokesman
said Saturday that the agency is investigating the incident.

A Wall Street Journal report from earlier Friday saying that Global
Payments had been hacked sent the company’s shares down 9% before
trading was halted. The stock did not resume trading before the market
closed.

Global Payments did not say which card companies were affected, but
Visa released a statement saying that it was all of the big players.

“Visa Inc. is aware of a potential data compromise incident at a
third party entity affecting card account information from all major
card brands,” it said.

Late Sunday, Visa spokeswoman Sandra Chu confirmed to CNN that Visa
had removed Global Payments from its list of preferred credit-card
processors.

When a customer swipes a credit card, the data is sent to a payment
processor like Global Payments, which then forwards the transaction
information to card companies like Visa and MasterCard.

That’s a massive business: Global Payments processed $167.3 billion
worth of transactions in its last fiscal year, which ended May 31, 2011.
Global Payments specializing in serving small merchants, like
mom-and-pop businesses and local retailers.

It emphasized that none of them were to blame for the data leak.

“It is crucial to understand that this incident does not involve our
merchants or their relationships with their customers,” Global Payments
said.

It plans to hold a conference call Monday morning to provide more details on the debacle.

‘Massive’ breach? News of the breach was first reported by the
respected security blog Krebs on Security. The blog said the breach was
“massive,” and could involve more than 10 million card numbers.

“I’ve spoken with folks in the card business who are seeing signs of
this breach mushroom,” Gartner security analyst Avivah Litan wrote
Friday in a blog post.

Her sources say the hackers have begun using some of the card data they stole, Litan added.

When payment processors get hacked, the shrapnel can spread far. The
record holder for the largest-ever breach is believed to be a 2008
attack on Heartland Payment Systems, in which an estimated 130 million
customer accounts were compromised.

Heartland eventually paid more than $110 million to Visa, MasterCard,
American Express and other card associations to settle claims related
to the breach.

In regard to the Global Payments breach, MasterCard said it has
alerted payment card issuers “regarding certain MasterCard accounts that
are potentially at risk.”

Visa released a statement saying it too has provided card issuers
with notifications about accounts that could be affected. The issuers
“can take steps to protect consumers through independent fraud
monitoring and, if needed, reissuing cards,” it said.

Both MasterCard and Visa emphasized that their own networks had not been penetrated.

Discover and American Express each released short statements saying
they are aware of the situation and are monitoring customer accounts for
suspicious activity.

In data breach situations, credit card companies generally offer
affected customers fraud monitoring services at no cost — and customers
aren’t on the hook for any fraudulent charges. The card issuers
themselves are responsible for those costs.

Questions about industry standards: Several security researchers said
the breach is a prime example of why the current Payment Card Industry
Data Security Standard (PCI-DSS) is inadequate.

“Expect to see yet another round of almost religious fervor in the
debate over the real value of PCI-DSS,” Geoff Webb, director of product
marketing at data-protection company Credant Technologies, said in an
email.

Cybercriminals “are constantly looking for opportunities to identify
and attack sites where there is a weakness in security — just like a
predator looks out for the weakest member of the herd,” he added.

Litan, the Gartner analyst, is skeptical about whether the credit
card industry will invest the money and time required to switch to a
more secure system, like “smart cards” embedded with chips, which are
used in some foreign countries.

“It’s cheaper for them to deal with these breaches than to make all
those chip cards,” Litan told CNNMoney. “We’ve had all of these
breaches, but there have not been any significant attempts to change the
situation. The information is easy to steal, and cards are easy to use,
so it’s like free money for criminals.”