MasterCard, VISA Warn of Possible Global Payments Processor Credit Card Breach
‘Massive’ credit card data breach involves all major brands
Breach could involve more than 10M card numbers
The breach was reported earlier Friday by the Krebs On Security blog.
VISA and MasterCard are alerting banks across the country about a recent major credit card breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.
In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken – meaning that the information could be used to counterfeit new cards.
Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area.
It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised. PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed.
- Update, 11:52 a.m. ET: VISA just issued the following statement in response to this story:
- “Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet.
- Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.
- It’s important for U.S. Visa consumer cardholders to know they are protected against fraudulent purchases with Visa’s zero liability fraud protection policy, which exceeds federal safeguards. As always, Visa encourages cardholders to regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity. Additional consumer security tips are available at www.VisaSecuritySense.com.
- Every business that handles payment card information is expected to protect the security and privacy of their customers’ financial information by adhering to the highest data protection standards. Visa also supports advanced security layers such as encryption, tokenization and dynamic authentication through EMV chip technology to further protect sensitive account information and minimize the impact of data compromises.”
- Update, 12:15 p.m. ET: The Wall Street Journal is reporting that the breached processor was Global Payments Inc., which processes credit and debit cards for banks and merchants.
Law enforcement investigators believe that this breach may be somehow connected to Dominican street gangs in and around New York City. This comes from two reliable sources.
Global Pauments stock price (GPN) is down close to 10% today on this news http://www.dailyfinance.com/quote/nyse/global-payments-inc/gpn
CNN has reached out to the other major credit card brands, including American Express, for comment.
In data breach situations, credit card companies generally offer affected customers fraud monitoring services at no cost — and customers aren’t on the hook for any fraudulent charges. The card issuers themselves are responsible for those costs.
Questions about industry standards: Several security researchers said the breach is a prime example of why the current Payment Card Industry Data Security Standard (PCI-DSS) is inadequate.
“Expect to see yet another round of almost religious fervor in the debate over the real value of PCI-DSS,” Geoff Webb, director of product marketing at data-protection company Credant Technologies, said in an email.
Cybercriminals “are constantly looking for opportunities to identify and attack sites where there is a weakness in security — just like a predator looks out for the weakest member of the herd,” he added.
Litan, the Gartner analyst, is skeptical about whether the credit card industry will invest the money and time required to switch to a more secure system, like “smart cards” embedded with chips, which are used in some foreign countries.
“It’s cheaper for them to deal with these breaches than to make all those chip cards,” Litan told CNNMoney. “We’ve had all of these breaches, but there have not been any significant attempts to change the situation. The information is easy to steal, and cards are easy to use, so it’s like free money for criminals.”
VISA and MasterCard are alerting banks that this may involve over 10,000,000 credit cards !