Friday, April 6, 2012
In an April 3, 2012, conference call, Global Payments Inc. Chairman and Chief Executive Officer Paul Garcia said the recent data breach of Global's payment network has put the processor in a "Catch 22" with the Payment Card Industry (PCI) Data Security Standard (DSS). By being breached, the processor was deemed not compliant with the PCI DSS, even though Global was officially compliant before the breach, he said.
The breach was disclosed March 30, 2012, and reportedly involved the compromise of 1.5 million North American accounts. Garcia said Global received a report of compliance prior to the breach. But Visa Inc. stripped away Global's PCI DSS compliant designation following the breach. "[I]t's a little like a Joseph Heller novel Catch 22," Garcia said. "You are compliant prior, [but] if something happens, by definition you are no longer."
Regardless, Garcia said the company is working "around the clock" to regain its record of compliance (ROC). "Visa has removed us from the PCI compliance list pending the results and resolution of our work," he said. "Upon reflection, this is not unexpected. We are focused on remediation necessary for full PCI reinstatement. It goes without saying we are providing uninterrupted service to our customers around the world as we speak."
On April 1, Visa removed Global from its registry of PCI DSS-validated service providers. "Per our normal process, Visa has asked Global Payments to revalidate its PCI DSS compliance," the card brand said in a statement. "The PCI DSS has proven to be a highly effective foundation of minimum security standards when fully, correctly and consistently implemented across all systems handling cardholder data."
In a statement, the PCI Security Standards Council reiterated that the PCI DSS is the "best defense against incidents of this kind. An intrusion need not result in card data compromise if an organization is following the 12 guiding requirements of the PCI Data Security Standard."
Despite the breach and the PCI DSS compliance delisting, Global is still processing payments. "The important thing is we are open for business and processing transactions," Garcia said. When pressed if Global is still processing transactions for Visa, Garcia responded, "Absolutely, positively yes."
The CEO added that long-term relationships with clients, together with "a lot of technical relationships around it," means "today it's business as usual." He noted that the company continues to sign new merchants. "It is not a good thing not to have an ROC, but it doesn't mean we can't sign merchants or can't process," he said.
Garcia also emphasized the data breach suffered by his company "does not involve our merchants, sales partners or their relationships with their customers." He continued, "Neither merchant systems nor point of sale devices were involved in any way."
Garcia asserted that ISOs can be reassured that the breach had no impact on them. "This is not a merchant breach," he said. "This was not an ISO breach. This literally had nothing to do with them – end of story."
Garcia said competitors contacted Global to inform the company they would not "inappropriately" take competitive advantage of the theft – a commitment he said Global made to its competitors when their systems suffered similar incidents of massive data loss.
Garcia noted Global also received positive reports from customers who said they would not abandon the processor because of the breach. "We can't guarantee there will be no fall-out," Garcia said. "We were very encouraged by the response."
Global will not be able to assess its liability until both its own investigation and the federal law enforcement investigations are complete. "Not being PCI compliant has financial liabilities," Garcia said, but added quantifying that liability will not be possible until the investigations are complete. "We can't reasonably estimate charges and costs yet," he added.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.