Digital Transactions Authoritative, insightful and timely information for payments professionals
Merchant processor Global Payments Inc. says it believes fewer than 1.5 million card numbers were taken from its processing system in a data breach disclosed on Friday. Meanwhile, Visa Inc. has removed Global from its list of merchant processors compliant with the Payment Card Industry data-security standard (PCI), but Global hopes to get back into the leading card network’s good graces as “expeditiously as possible,” chairman and chief executive Paul R. Garcia said on Monday.
Atlanta-based Global Payments took the unusual step of issuing a press release on a Sunday night to disclose a few more details about the breach, though many questions remain unanswered even after Garcia and two other top company executives held a conference call Monday morning with stock analysts to discuss the intrusion.
Garcia said Global believes the breach affected just a portion of its processing system, “a handful of servers,” and is confined to North America. Besides the U.S. and Canada, Global Payments operates in Europe and Asia. Garcia carefully worded his statements to acknowledge a compromise but not actually confirm data theft. “The company believes that fewer than 1.5 million card numbers may have been stolen,” he said, later adding that, “based on the forensic analysis to date, network monitoring, and additional security measures, the company believes that this incident is contained.”
Early reports speculated that the breach might have been “massive,” potentially affecting as many as 10 million card numbers. The record for a payment card data breach is the estimated 130 million card numbers compromised in the Heartland Payment Systems Inc. breach disclosed in early 2009.
The investigation so far has revealed that Track 2 card data may have been stolen, but not Track 1 data, Garcia said. Fraudsters did not obtain cardholder names, addresses, or Social Security numbers, but Track 2 on a card’s magnetic stripe includes account numbers and expiration dates that would enable thieves to make counterfeit cards. Responding to an analyst’s question, Garcia said he’s not aware of any fraud stemming from the breach. Card data compromised affected all the major brands in fairly close proportion to their market share, according to Garcia.
Global Payments still has not said exactly when the breach occurred or how intruders gained access to its system. Global itself discovered the breach early in March and reported it; press accounts on Friday said the intrusion happened between Jan. 21 and Feb. 25. “Approximately three weeks ago we identified that cardholder identity may have been taken,” Garcia said. “Literally within hours of that discovery we contacted federal law enforcement and the card associations, so we jumped on this instantly.” But, citing the investigation, he would not confirm the timing of the breach.
Garcia also emphasized that no merchants, point-of-sale systems, independent sales organizations, value-added resellers, or other partners were breached, only Global’s system. ISOs generate a large number of transactions for Global in North America.
Meanwhile, Garcia said Global is working hard improve its security system to get a new record of compliance (ROC) from Visa confirming that it is again in compliance with PCI, but that in the meantime it is processing transactions normally. The card networks, which enforce the PCI standards, typically declare that any merchant or processor that is breached is out of compliance with PCI, even if the processor had been validated as compliant in its most recent PCI audit. Garcia confirmed that Global had been in compliance with PCI before the breach. Visa delisted Heartland from its list of approved processors after its breach but eventually reinstated the big acquirer without any disruption of transactions.
“It’s a little bit like a Joseph Heller novel, ‘Catch 22,’” Garcia said. “I mean, you are compliant prior, if something happens, by definition you no longer [are], therefore that [being delisted by Visa] is not totally unexpected.” He wouldn’t predict how long it would take to get a new ROC.
Company brass indicated that Global Payments will take a one-time charge to cover breach-related expenses, but how much or when isn’t known yet. If the pattern in previous breaches holds true, those costs are likely to include fines from the card networks.
