Visa expels Global Payments after card breach

Cause remains shrouded in mystery.

Visa has dumped Global Payments from the list of credit card processing service providers it uses after a breach that compromised about 1.5 million cards.

The credit card maker said the list was for service providers that were compliant with payment industry guidelines.

Global Payments chairman and CEO Paul Garcia told investors that the dumping did not come as a surprise.

"Upon reflection, this was not unexpected, and we are focused on remediation efforts for full and timely PCI (Payment Card Industry standard) reinstatement," he said.

Global Payments said it is still processing transactions, despite being off Visa's approved list.

Visa moved much faster removing Global Payments from the list than it did when another processor, Heartland Payment Systems, announced a breach of some 100 million card numbers in January 2009.

In that case, Visa expelled Heartland from the list about two months later, but Heartland re-validated compliance within roughly six weeks.

In the case of Heartland, Visa told merchants that, despite the processor being temporarily removed from the list, they faced no fines for continuing to do business with it.

Hack evidence

Global Payments was the victim of a data breach affecting cards from all of the major brands, including Visa and MasterCard.

Two days after confirming the breach, the company said fewer than 1.5 million card numbers were compromised, down from some earlier estimates that had placed the number closer to 10 million.

Garcia told investors that the breach, which was discovered roughly three weeks ago, occurred on an unspecified segment of the company's North American processing system.

The hackers accessed only magnetic stripe-encoded Track 2 data, which is up to 40 characters in length and includes a card's primary account number, expiration date, service code, PIN and CVV number.

Other information, such as names, addresses and Social Security numbers, were not exposed.

The incident, which was "confined," did not involve the systems of any customers or partners, Garcia added.

"We had security measures in place that caught it," he said. "It was our systems. It had nothing to do with merchants."

Garcia's account of the breach, first reported by security journalist Brian Krebs in his Krebs on Security blog, runs counter to at least two other pieces of possible evidence.

The first is the chronology. PSCU, which provides financial services, such as bill payment solutions, to 680 credit unions, sent a security alert last week after being contacted by Visa.

The alert, obtained by SCMagazine.com, reported the breach lasted from Jan. 21 and Feb. 25. If that is true, it would belie Garcia's statement that the incident was internally discovered three weeks ago.

The second is the entry point. Avivah Litah, vice president and distinguished analyst at Gartner, told SCMagazine.com that, based on what her sources in the payment industry told her, she is "95 percent" sure that the breach initiated at a taxi and parking garage company in New York City.

A spokesman for the city's Taxi and Limousine Commission, which licenses cabs, did not respond to a request for comment.

Garcia declined to discuss these specifics, such as a timeline of events, and he would not elaborate on how the hackers accessed the the network.

He said the company is not aware of any fraud as a result of the breach, but that it would be responsible for paying for any replacement cards that are issued by banks.

"What's the takeaway on PCI?" Gartner's Litah asked on Monday in a blog post. "The same one that's been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit."

This article originally appeared at scmagazineus.com