Visa has dropped Global Payments from the list of companies that it deems compliant with its security policies following news that the third-party vendor experienced a security breach that could have compromised some 1.5 million Visa and MasterCard accounts.
The breach first came to light at the end of the last week, and Global Payments has since admitted it was the source. The company has taken a number of steps to enlighten the public, including the establishment of a dedicated Web page for cardholders and vendors.
The incident took place early in March, according to Global Payments. The company provided little detail about how it happened or its impact, but did say it had been contained.
Global Payments declined to provide further details. Visa did not respond to our request to comment for this story.
How It Happened
While all the parties are zip-lipped about the data theft, there’s plenty of buzz about how it may have occurred.
One rumor blames members of a New York-based Latin American gang. They may have guessed the answers to some knowledge based authentication (KBA) questions, enabling them to crack passwords, security consultant Robert Siciliano told the E-Commerce Times.
A Doozy of a Breach
How it happened, though, is immaterial to cardholders and merchants that might be defrauded. Clearly this security breach was a doozy, said Christopher Ciabarra, CTO with Revel Systems.
“This is a big deal and turning into a bigger one with Visa’s decision is to drop the company,” he told the E-Commerce Times.
It is understandable that Visa dropped Global Payments, Tim Keanini, CTO for nCircle, told the E-Commerce Times.
“Cleaning up after a breach that includes 1.5 million cards will require an enormous mop and a whole lot of elbow grease,” he said.
MasterCard will probably follow suit within a few days, Keanini predicted.
What Can Cardholders Do?
There is no way a consumer can tell whether any given card transaction was processed by Global Payments. However, its size suggests it’s more than likely that most card-using consumers have been touched by the vendor at some point.
One basic security measure consumers can take, according to Keanini, is to set up an alert for transactions greater than US$50 to allow verification. Another option is to have a new card issued.
MasterCard and Visa are contacting the banks that issued the credit cards that were impacted and automatically replacing cards known to be compromised, noted Chet Wisniewski, senior security advisor at Sophos.
“It is a good practice to review all transactions on your statement each month, regardless of whether you think your card has been involved in a data breach,” he told the E-Commerce Times.
Still, such advice doesn’t take into account the possibility of identity theft down the road, noted Peter J. Toren, attorney with Weisbrod Matteis & Copley.
“While this seems unlikely given the type of information stolen, it is possible that the hackers can use this information to gain access to other types of information, or combine it with publicly available information that could be used in identity thefts,” he told the E-Commerce Times.
Also, no matter how responsive and accommodating MasterCard and Visa will be in the coming days, they will almost certainly experience a backlash from irate customers, Toren continued.
“I don’t think that most credit card users appreciate that much of the information they provide to Visa/MasterCard is not managed by these companies but is managed by third-party vendors,” he said.