When A Credit Card Payment Processor Gets HackedApril 3rd, 2012 | Posted by in Incident Response | PCI
Not to make light of the gravity of the event, but here we go again – Consumers are subjected to another round of warnings about yet another credit card information breach! Unfortunately, these data breach warnings are in danger of becoming as common as the daily weather report. This time the source of the breach, which affects Visa and MasterCard credit and debit cards, has been laid at the feet of Atlanta-based payment processor Global Payments. Global Payments self-reported that unauthorized access into its processing system had indeed taken place earlier this year.
Here’s what we know so far, according to a memo reviewed by The Wall Street Journal: The estimated 1.5 million cards were exposed between January 21 and February 25. Law enforcement officials were notified and forensic reviews are being conducted. The U.S. Secret Service is also investigating the incident. The breach was traced to a New York City-based taxi cab, parking and garage company and may have been the work of a Central American gang. In response to the possibility of the beach occurring in the New York taxi-cab environment, Visa responded that the incident is “contained.”
On April 1st, Global Payments released additional information about the breach, saying it believes less than 1.5 million accounts were exposed. It said the accounts were limited to North America, and cardholder names, addresses and Social Security numbers were not obtained in the breach. However, other information, including card numbers that can be used to create counterfeit cards, was exported from its system. The information needed to create these forged cards, including the 16-digit card numbers, which are included in Track 2 card data, may have also been stolen, Global Payments reported.
Of course, and rightly so, news of the breach sparked new concerns over security in the credit-card industry. The global standard for credit card processing security compliance is Payment Card Industry (PCI) certification. Earlier this week a Forbes article reported as a result of the hack, Visa Inc. dropped Global Payments from its registry of providers that meet data security standards, meaning Global Payments will pay Visa more for processing transactions. (The processor can be reinstated once a new PCI report of compliance has been issued. Global Payments has continued processing Visa transactions.) Some security analysts in our industry would say we have spent billions of dollars trying to secure the payment systems, with measures such as PCI, but to no avail.
Where does the cyber security community go from here? What is that next step in the quest for ensuring the security of consumer data in the credit card industry? Many players in the U.S. cyber security arena would like to see the “smart card” microchip technology, used widely in Europe, implemented in the U.S. to improve credit card data information security controls significantly over those that we currently have in place. Chip-and-PIN cards use a tiny computer chip that is read by a point of sale (POS) terminal and requires the cardholder to enter a 4-digit personal identification number (PIN) at the time of transaction. Transition to this technology would require the replacement of millions of existing cards and hundreds of thousands of POS terminals; and, where in-store fraud has declined as a result of this technology in other parts of the world, card-not-present fraudulent transactions (made via phone and web) have exploded, as reported in a bankrate.com article, published in 2011, “Are chip and PIN credit cards coming?”. Both Visa and MasterCard have now announced plans to establish the payment infrastructure to support chip and PIN transactions by April 2013, according to a PCMAG.COM article, which also mentions additional technologies being explored by the credit card brands to improve the security of transactions.
Whatever the next technology or line of attack may be, cyber security professionals must remain vigilant in protecting all consumers’ personal information, including their credit card data, from theft or exploitation.