he recent news that Wachovia Corp. reissued debit cards the week of June 12 to an unspecified number of customers has caused some concern that a new breach of PIN data had occurred.

But acting on a February alert from Visa U.S.A., the bank has only now made the decision to reissue cards, according to Mary Beth Navarro, Manager for Retail Banking Communications.

"We marked all the cards that Visa indicates were affected, and we've been monitoring them. More recently, we began to see what we believe was fraud activity, and we took immediate action with those customers," as well as the additional step of reissuing cards to all the accounts identified by Visa as possibly compromised, Navarro said. She declined to estimate the number of new cards issued.

An undated statement released by Visa said the compromise occurred at an independent, U.S.-based ATM processor. Visa did not name the processor and declined to be interviewed for this story.

"The information we have is based on what Visa told us," Navarro said. It did not involve any Wachovia-owned ATMs. "We process our own ATM transactions. We believe our customers were impacted when they used an ATM that used this processor." Other banks alerted by Visa reissued cards in the first quarter of the year. They may have been responding to breaches not associated with the ATM processor.

"[I]t's important that every entity that handles payment card information adhere to the highest data protection standards, such as the Payment Card Industry (PCI) standard, to protect the security and privacy of their customers," the Visa release stated.

Fears for the system

The industry has been concerned about this data compromise, as well as one that is reported to have occurred at a retail chain at around the same time (see "Debit PIN theft: The mystery continues," The Green Sheet, April 24, 2006, issue 06:04:02) largely because the card Associations have been so tight-lipped on the subject.

"The two incidents were making people sit up and take notice," said Stuart Taylor, an independent consultant and former VeriFone executive.

In the retail breach, "the fear is that the cryptography has actually been hacked," Taylor said. "If [the encryption keys] have been hacked, that is fairly bad news for the payment systems as a whole. From a cryptographic standpoint, it shouldn't be possible to retrieve the PINs.

"Is it really cryptography that's being broken, or is it failure to comply with standards and a matter of human failure? It seems that it has to be a combination of human error and failure to comply with Association standards."

MasterCard International did not respond to requests for information as to whether its cardholders were affected by the incident at the ATM processor.