The Green Sheet Online Edition
April 23, 2012 • Issue 12:04:02
Global Payments, payments community respond to reported breach
Atlanta ISO and payment processor Global Payments Inc. was reportedly the victim of a data breach that potentially compromised an estimated 1.5 million North American accounts. Trading on Global Payments stock was halted March 30, 2012, after reports of the breach surfaced. Before trading was stopped the company's stock price had fallen just over 22 percent to $47.50.
The break-in was first reported by the blog Krebsonsecurity.com authored by former Washington Post reporter Brian Krebs. He said Global Payments was compromised between Jan. 21 and Feb. 25, 2012; this was based on alerts sent out by MasterCard Worldwide and Visa Inc. to financial institutions shortly thereafter.
Krebs said the thieves were able to acquire enough data to counterfeit new cards. He also quoted sources saying more than 10 million card numbers may have been compromised. He then went on to say PSCU Financial, a nonprofit cooperative credit union service organization, told its members 56,455 Visa and MasterCard accounts had been compromised, but fraud was found to have occurred in only 876 accounts so far.
Card company statements
Shortly after the breach came to light, MasterCard and Visa both issued statements acknowledging they had begun investigating a data breach at what Visa called a "third party entity" and MasterCard referred to as a "U.S.-based entity."
Visa's statement referred to "a potential data compromise incident" involving "all major card brands." The company emphasized Visa systems were not breached and reminded the public of its zero liability fraud protection policy.
"Every business that handles payment card information is expected to protect the security and privacy of their customers' financial information by adhering to the highest data protection standards," Visa stated, adding it is taking a proactive approach to news of the breach.
"Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards."
MasterCard said in its statement it is alerting payment card issuers of "certain MasterCard accounts that are potentially at risk" because of the data breach. "Law enforcement has been notified of this matter and the incident is currently the subject of an ongoing forensic review by an independent data security organization," MasterCard said. "It is important to note that MasterCard's own systems have not been compromised in any manner."
Discover Financial Services spokeswoman Laura Gingiss said her company is aware of the breach reports and is monitoring accounts for suspicious activity. She said the card company "will reissue plastics as appropriate" and pointed out Discover customers have no liability for incidents of fraud.
Security sector response
Mark Bower, Vice President of Voltage Security Inc., said payment processors such as Global Payments have been a target of attacks for years. "If there's one industry that absolutely needs to adopt a data-centric security strategy to mitigate breach risk, it's the payments industry," he said.
"And the writing is on the wall for those payment acquirers that don't. The PCI Council recognizes these risks, so it should be no surprise if an organization that relies on older perimeter security strategies is breached and lands on the front pages of newspapers."
Joe Levy, Chief Technology Officer for the security intelligence and analytics company Solera Networks, said, "It would not be surprising if the investigation slowly reveals that the breach involved techniques such as web application exploitation, maneuvering from a compromised public system into the internal systems and that the presence on the network was a longer-term than estimated.
"These tend to be common characteristics of these kinds of events. And it underscores the fact that perimeter defenses are imperfect and will almost always be breached by a sufficiently motivated adversary. It also illustrates the insufficiency of our current incident response practices."
Reports of the data breach also brought a quick response from Congresswoman Mary Bono, R-Calif., Chair of the House Subcommittee on Commerce, Manufacturing and Trade. Bono is co-author of the pending Secure and Fortify Electronic (SAFE) Data Act. "You shouldn't have to cross your fingers and whisper a prayer when you type in a credit card number on your computer and hit 'Enter,'" she said.
Global in a 'Catch 22'
In an April 3, 2012, conference call, Global Payments Inc. Chairman and Chief Executive Officer Paul Garcia said Global had received a report of compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) prior to the breach. But Visa stripped away Global's PCI DSS compliant designation following the breach. "[I]t's a little like a Joseph Heller novel Catch 22," Garcia said. "You are compliant prior, [but] if something happens, by definition you are no longer."
Regardless, Garcia said the company is working "around the clock" to regain its record of compliance (ROC). "Visa has removed us from the PCI compliance list pending the results and resolution of our work," he said. "Upon reflection, this is not unexpected. We are focused on remediation necessary for full PCI reinstatement. It goes without saying we are providing uninterrupted service to our customers around the world as we speak."
PCI DSS revalidation required
Visa removed Global from its registry of PCI DSS-validated service providers on April 1. "Per our normal process, Visa has asked Global Payments to revalidate its PCI DSS compliance," the card brand said in a statement. "The PCI DSS has proven to be a highly effective foundation of minimum security standards when fully, correctly and consistently implemented across all systems handling cardholder data."
In a statement, the PCI Security Standards Council reiterated that the PCI DSS is the "best defense against incidents of this kind. An intrusion need not result in card data compromise if an organization is following the 12 guiding requirements of the PCI Data Security Standard."
Still open for business
Despite the breach and the PCI DSS compliance delisting, Global is still processing payments. "The important thing is we are open for business and processing transactions," Garcia said. When pressed if Global is still processing transactions for Visa, Garcia responded, "Absolutely, positively yes."
The CEO added that long-term relationships with clients, together with "a lot of technical relationships around it," means "today it's business as usual." He noted that the company continues to sign new merchants. "It is not a good thing not to have an ROC, but it doesn't mean we can't sign merchants or can't process," he said.
ISOs, customers OK
Garcia also emphasized the data breach suffered by his company "does not involve our merchants, sales partners or their relationships with their customers. ... Neither merchant systems nor point of sale devices were involved in any way." Garcia asserted that ISOs can be reassured that the breach had no impact on them. "This is not a merchant breach," he said. "This was not an ISO breach. This literally had nothing to do with them - end of story."
Garcia said competitors contacted Global to inform the company they would not "inappropriately" take competitive advantage of the theft - a commitment he said Global made to its competitors when their systems suffered similar incidents of massive data loss.
Garcia noted Global also received positive reports from customers who said they would not abandon the processor because of the breach. "We can't guarantee there will be no fallout," Garcia said. "We were very encouraged by the response."
Liability not yet assessed
Global will not be able to assess its liability until both its own investigation and the federal law enforcement investigations are complete. "Not being PCI compliant has financial liabilities," Garcia said, but added quantifying that liability will not be possible until the investigations are complete. "We can't reasonably estimate charges and costs yet," he added.
A FAQ link on the Global Payments website said, in part, "We are aware that individuals attempting to perpetuate fraud, via the Internet and otherwise, may be using the Global Payments' name or a Global Payments' product name, (Global Transport and logo) to deceive consumers." The company urges customers who believe they have been victimized by fraud to visit the government's Internet Crime Complaint Center at www.ic3.gov and file a complaint.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.