Payment processor Euronet Worldwide Inc. reported on Monday that part of its European businesses sustained a computer security breach late last year. The disclosure is of interest to the U.S. payments industry as it moves slowly toward adoption of EMV chip cards because most European cards have both a chip and a magnetic stripe, and Euronet linked the resulting fraud from its breach only to magnetic-stripe transactions.
“The majority of cards processed by Euronet are EMV-compliant chip-and-PIN cards,” Euronet said in a regulatory filing. “Losses from fraudulent card activity appear to have been limited to magnetic-stripe transactions processed on the affected systems. No losses have been reported on EMV chip-and-PIN transactions.”
Based in the Kansas City, Mo., suburb of Leawood, Kan., Euronet has customers in 150 countries and provides prepaid mobile top-ups, ATM and card processing services, and money transfers. Euronet said in the filing that a “small portion of its European business was the target of a criminal security breach.” The company said it took “immediate steps” to contain the breach, and that no losses on bank cards have been reported to the company for more than a month.
The filing left many questions unanswered, including exactly when, where, and how the breach happened, how many payment card numbers were compromised, and the extent of the losses. A Euronet spokesperson would not comment beyond the filing.
Euronet did say that the breach affected a part of the company’s processing business that represents less than 5% of its transactions and revenues. “Euronet has taken aggressive measures to remediate the breach and further strengthen its security controls, and is working closely with international card associations and law enforcement in this regard,” the filing says.
David Albertazzi, a senior analyst at Boston-based Aite Group LLC, says that while many factors about the breach and how the fraud happened remain unclear, skimming is a possibility. That is, after the criminals stole account numbers and PINs from Euronet’s system, they used that data to make fake mag-stripe cards that they could then use to make ATM withdrawals or purchases. “It seems like the fraud impact here is equivalent to the type of information they would gather from a skimming operation,” he says.
EMV chip cards cost much more than magnetic-stripe cards and are ineffective against online and some other types of fraud, but they have much better defenses against the counterfeit fraud that plagues mag-stripe cards. Plus, Americans in the past couple of years have begun reporting that some places in Europe won’t process transactions on the older technology. Some U.S. banks have begun issuing chip cards for their cardholders who travel abroad frequently. “It’s still just a cost issue of rolling those programs,” says Albertazzi.
Euronet said it has insurance to cover potential liabilities from the breach, which it does not expect to be material. “No claims or losses were asserted against the company in the fourth quarter 2011,” the filing says. “The level of overall loss that may be associated with the breach is uncertain at this time, since information concerning the loss levels have not been communicated by the card associations to Euronet.”