March 30, 2012, 4:27 PM

A payment card breach at processor puts consumers at risk

An unknown number of cards are involved in the incident.

Kevin Woodward

Senior Editor

Lead Photo

Less than 1.5 million credit and debit card accounts may be at risk following the revelation last week that criminals gained access to a portion of payment processor Global Payments Inc.’s network.

Global Payments says it discovered the intrusion in mid-March and “immediately engaged external experts in information technology forensics and contacted federal law enforcement,” as well as payment card brands. Global Payments did not disclose the types of transactions involved.

“It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” says Paul R. Garcia, Global Payments chairman and CEO.

Criminals appear to have retrieved sensitive card data that includes the card numbers, expiration dates and other data, Global Payments says, but did not gain access to cardholder names, addresses or Social Security numbers. Global Payments says it appears the incident has been contained, and is confined to North America. Global Payments says it annually processes approximately five billion transactions worldwide.

In a statement MasterCard says it is “investigating a potential account data compromise event of a U.S.-based entity,” and it has alerted payment card issuers about some MasterCard accounts that are at risk. Visa says it, too, is investigating. Both card brands say their systems have not been compromised.

Just what the investigation reveals will be interesting, says Julie Conroy McNelley, a fraud and security analyst at consulting firm Aite Group LLC, especially if the criminals retrieved the full card number and security code, known as the PAN data and CVV, respectively. In that case, criminals could use the stolen card data to make purchases from e-retailers, McNelley says.

E-commerce retailers should be alert to criminals using the stolen card data, says Avivah Litan, an analyst at Gartner Inc. "These stolen cards could be used at their sites," Litan says. The card brands are obligated to tell the issuing banks which card numbers are involved, but not retailers, she says. "They don't get any fair warning," she says. That means a transaction made with stolen card data still could be authorized, and later declined, she says. That puts the onus on an e-retailer's fraud prevention systems. "No one is looking after them except themselves."

Criminals continue to pursue payment card data because of the potential financial gain, McNelley says. “There’s so much financial incentive for criminals to go after this data,” she says. “They are nimble, creative and continue to advance their attacks.”

At the Internet Retailer Conference & Exhibition 2012, Tim Toews, consultant and former chief information officer, Office Depot Inc. , will speak in a session entitled “Blocking the hackers: The case for preventive action.”

Comments

Sign In to Make a Comment

Comments are moderated by Internet Retailer and can be removed.

Not a member? Signup for free today!

Advertisement

Advertisement

Advertisement

Relevant Commentary

FPO

Jason Squardo / Mobile Commerce

Five tips for achieving high mobile search rankings

Searches on mobile devices will soon exceed those on computers, Google says. Retailers that keep ...

FPO

Sergio Pereira / B2B E-Commerce

Quill turns to its B2B customers for new ideas

Coming in April is a new section of Quill.com that will let customers and Quill ...

Advertisement