Processor breach will not hit Heartland scale: analysts

A recent processor breach that was reported by Visa will not reach the scale of the Heartland compromise.

Analysts at iDefense advised that the unidentified payment processor had fallen victim to malicious actors, as publicly confirmed by Visa last week, with MasterCard issuers also purportedly affected by this intrusion.

Rick Howard, director of intelligence at iDefense, claimed that according to web sources, transactions between February and August of 2008 are affected by this incident.

He claimed that the compromised data is believed to only include account numbers and expiration dates, rather than magnetic track data, meaning that the perpetrators will be unable to create counterfeit cards using the stolen credentials, though this does not necessarily indicate that a criminal market will not be generated for this data.

The Alabama Credit Union has reported that fraudulent transactions involving Visa debit and ATM cards compromised in this intrusion have already begun to take place. Transactions typically involve the purchasing of prepaid gift and phone cards, and/or money orders from retail outlets, most often occurring in $100 increments.

Details remain scarce at the present time; however, the Tuscaloosa AV Federal Credit Union, Pennsylvania Credit Union Association, and Community Bankers' Association of Illinois have all issued statements regarding the intrusion.

Richard Brain, analyst at ProCheckUp believes the recent growth in payment processors is due to an unintended consequence of the PCI DSS.

He claimed that this has caused many merchants to outsource their payment processing to payment processors in order to greatly simplify their PCI DSS compliance.

Brain said: "For card criminals, the payment processors are now the obvious targets mainly due to the extreme amount of card data flowing through them, at least additional strict security requirements should be applied to payment processors.

"Two of the recent breaches are reportedly caused by malicious software installed on the network, which captured card data. This can be prevented for now, by requiring all card data within payment processors internal network to be strongly encrypted."

He claimed that it could be best for the PCI council to create a standard secure network architecture, which has been evaluated and found secure for implementation by payment processors. Additional requirements for payment processors, above those normally expected for merchants, could also be created to add further protection.