Visa, MasterCard Warn Of Breach At Card Processor

UPDATE–MasterCard and Visa have confirmed that they are investigating a potentially huge data breach at one of the companies’ payment processors, which the Wall Street Journal has identified as Global Payments Inc. 

UPDATE–MasterCard and Visa have confirmed that they are investigating a potentially huge data breach at one of the companies’ payment processors, which the Wall Street Journal has identified as Global Payments Inc. 

The credit card giants are alerting banks about a breach at a U.S. based card processor that occurred between late January and late February, 2012. The exact size of the breach is unknown, but may involve more than 10 million compromised cards, Krebsonsecurity reports. Global Payments Inc. did not respond to a request for comment. The company halted trading Friday afternoon as news broke of the breach, sending shares of the company down nine percent. 

The data stolen may include full Track 1 and Track 2 information, which would make it easy for criminals to create counterfeit cards using the stolen data. Krebs reports that the stolen data may already have been used to make illegal purchases. He cites a warning on Wednesday from PSCU, a firm that provides financial services to credit unions, that 876 accounts were identified that had fraudulent activity, out of more than 56,000 at member banks that could have been compromised in the breach. 

Both Visa and MasterCard now have confirmed that they are investigating the breach.

“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet. Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards,” the company said in a statement.

“It’s important for U.S. Visa consumer cardholders to know they are protected against fraudulent purchases with Visa’s zero liability fraud protection policy, which exceeds federal safeguards. As always, Visa encourages cardholders to regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity.”

Merry Pateuk, director of public relations at PSCU, confirmed that her employer issued a warning this week. She said her company was notified by Visa and MasterCard of the breach on March 23. The St. Petersburg, Florida company processes debit- and credit card transactions on behalf of around 700 credit unions across the U.S. She said the impact on her organization was “not tremendous,” and disputed reports that 56,000 customers of its credit unions were affected. 

“The number was smaller than that, after we went through and removed duplicate- and inactive accounts,” she said. Pateuk declined to say how much smaller the total number of compromised accounts was. She also declined to say how many accounts had been used for fradulent purchases, but disputed reports that 876 accounts of customers were found to have been used fraudulently. “I don’t know where that number comes from,” she said.

PSCU  has notified its customers of the affected accounts and advised them to monitor those accounts for signs of fraud. 

Sophisticated hackers have targeted credit card processors before, with the most prominent example being the attack on Heartland Payment Systems in 2009, which turned out to be one of the larger such compromises in history. 

Suggested articles

Discussion

  • Anonymous on

    I have a bad feeling this is going to be huge. Thanks VISA/MC for protecting us. 

  • Anonymous on

    Thanks Threatpost for the up-to-date info!

  • Anonymous on

    This online banking stuff is great isn't it?

  • Anonymous on

    But are they protecting the vendors that the stolen identities are being used at,  Normally we get stuck with the bill--that's why they are so easy to say that they are taking care of the card holders.

  • Katherine Anthony on

    This has nothing to do with online banking. This is how plastic cards (debit and credit) have worked since the invention of the Point Of Sale Terminal by VeriFone in 1981. Once the card is swiped at the terminal (or processed by an online point of sale script), that information has to be processed by the store's Payment Processor (en.wikipedia.org/wiki/Payment_processor). That's why buisnesses need a WAN connection to proccess credit cards, and why a slow or faulty network connection can slow or stall what should be a several second transaction. "[The] payment processor will both check the details received by forwarding them to the respective card’s bank issuing bank or card association for verification, and also carry out a series of anti-fraud measures against the transaction." In other words, the data breach happened at the intermediary between the Merchant and the card's Issuer. It doesn't matter if you used your card at the Kwik-E-Mart down the street or Amazon.com, this is how modern plastic money works.
  • Anonymous on

    Considering the hassel for those obvious requirements on PCI compliance from the credit card issuers, this is actually petty funny. Is there a self mandated PCI form issuers needs to comply with or is this just "do as I say, not as I do" ? Ha !

  • cindy on

    I have a business, but I am an "at location" charging merchant.  The best way to protect yourself at your place of business is to make sure and ask for state identification!  I can't stress this enough!  Yes, I'm glad they are protecting the consumers, but we as merchants have to protect ourselves as much as possible!!!  I have personally gone through two credit card breaches over the past year - one a bank card and one a business credit card.

  • Emily on

    As a telephone merchant, I have a yearly zero percent of chargebacks.  How do I do it?  When I new customer calls, we go jointly to their bank and verbally verify name, address, card number, expiration, date of birth, telephone number, (and of course I have the bank's phone number; I called it), and that the amount the customer plans to spend is available - not how much outstanding credit there is - although CSRs at the bank often say that instead!  The date of birth catches young folks visiting grandma and snatching her card.

     

    People who won't do this don't become my customers.  I do this only the first time they call, for that particular credit card.  I don't do it again - and have been hurt very few times for that practice.

     

    Threre's magic to this:  I have nice cooperative customers:  The grumps, the edgy folks, and naturally the ones who intended to take advantage - never become customers.  After that, I can have more faith and trust in clients than one usually would.

     

    This I know would not have anything to do with the intermediary being compromised, which is probably an inside job.

     

     

  • Anonymous on

    Until merchants are held responsible for card fraud dollars, the system will not change. Merchants and vendors always want to make it as simple as possible for a consumer to make a purchase:  cards are accepted without proof of identification (how often do you get asked for a picture id), and now most transactions under $100 don't even require a signature.  So even if there is a breach at a processor like Global or Heartland, and merchants continue to accept cards without verifying card ownership but continue to not have any liability- (they  get paid no matter what), and credit unions and banks foot the fraud bill (hello-Visa and Mastercard make the guarantee but they don't pay the fraudulent dollars-your credit union or bank does- which means you ultimately do), then the circle of fraud continues.

  • Independent on

    So, how does PayPal do it? NEVER a breach! What are they doing right?

    When I make a purchase using PayPal, l use an associated security key linked to my account. before my purchase can even be processed I must submit a 6 digit key that's generated from my harware key device in my hands, along with my password. That device generates a new  6 digit key every 30 seconds... The sequence generated is the real protection. steal my given 6 digit key, it's useless! Steal my security key, it's useless without my password. Get both at the same time? Fantasyland! PayPal is a global processor and never breached. 

    Visa and MC could care less. The money is in the process real or stolen. I'm one of those CU members that had her card number hacked two months ago.

  • Tinman57 on

      It has always bothered me that no one bothers to check drivers licenses when using a credit card.  And places like Walmart don't even check id's for checks, and to me that's insane.  I know if a crook ever gets ahold of my checkbook, the first thing they're going to do is head to Wally-World for some shopping.....

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.