Tag Archives: data breach

Visa and MasterCard Sued by Home Depot over Chip Card Security

Leave a reply

Around the world, 80 countries have added EMV chips to their credit cards. These chip cards are more secure than credit cards with only a magnetic strip and have helped to reduce credit card fraud in many places. As a result, these cards are now being introduced in the United States. Many retailers, however, are alleging that Visa and MasterCard are not utilizing the chip to its fullest potential. Home Depot has joined other retailers, like Wal-Mart, by filing a lawsuit against the credit card issuers. Mark Horwedel, CEO of the trader group The Merchant Advisory Group expects more lawsuits to follow.

The lawsuit contends that Visa and MasterCard are not doing enough to prevent credit card fraud, yet are forcing retailers to carry more of the cost and liability for fraudulent credit card transactions. Though the chip cards used around the globe may look the same, they aren’t processed the same way. In most of the countries that have adopted EMV technology, a PIN number is required to complete a credit card transaction. In the United States, however, Visa and MasterCard are requiring only a signature. This makes transactions less secure than they could be. Since retailers are now responsible for fraud, Home Depot alleges that card issuers are not doing enough to protect them from it.

Failure to require a PIN also creates problems for online customers, where credit card processing is done without a signature or other verification steps. For these transactions, chip card security doesn’t help at all unless it is coupled with a PIN.

Home Depot also claims that it costs them more to process non-PIN transactions, forcing them to pay $750 million dollars a year in credit card processing fees. According to the retailer, Visa and MasterCard are intentionally blocking the store’s ability to protect itself from fees and fraud on purpose to drive their own profits. They claim chip card security that requires a PIN would better protect consumer and reduce credit card processing costs.

The Home Depot has reason to be concerned, as the company was the victim of a data breach in 2014 that affected 56 million credit and debit card numbers. The retailer immediately implemented credit card processing that incorporated the chip technology, but would like to do more to protect itself and its customers. The company fully supports chip card security and EMV technologies, but wants American consumers to enjoy the same meaningful fraud protection that Europeans have been enjoying for more than a decade.

Terminal Retirements

Leave a reply

Following up on our recent blog about terminal of the future, the VX 520, today we’re going to let the other shoe drop. With the payment processing industry thrusting its spotlight onto security in the wake of the Target Data Breach, the PCI DSS and its upgraded protocols are getting a lot of attention.

Host Merchant Services has been ahead of the curve on PCI compliance, having instituted a PCI Compliance Initiative years ago. But the Payment Card Industry Security Standards Council is in a continuous state of refining their security requirements and best practices so we here at HMS have to remain agile and adept at navigating these changes.

EMV smart cards, a topic we’ve discussed in depth here, are prompting PCI DSS to reorganize large swaths of its standards, and as a result, retire various terminals. As more and more POS hardware adapts to support EMV chip cards and end to end encryption, manufacturers and software developers will have to put their older equipment out to pasture. With the release of EMV/Contactless terminal applications, many of the legacy terminal devices/applications do not have the memory capacity required in order to support the association mandates. As a result, TSYS has provided a preliminary end of life schedule for credit card terminal applications that will be fully retired.

This is something the PCI DSS has been preparing for, and as such they have a schedule implemented for the retirement of older equipment. Coming up next is the VX 510 Terminal and its VDID300 Application, scheduled for retirement on June 3, 2014. Also the VX 510 and VX 570 and its VXGFT02 Application will be retired that day.

Prior to this date, Host Merchant Services has terminal upgrades available for our merchants. While we will continue to honor merchant boarding for these devices until the effective end of life date, once that occurs these devices/applications will no longer be an option available within our internal systems and downloads will no longer be available for terminal updates, swaps or technical support. So upgrading should be a priority, and Host Merchant Services will make the process seamless and trouble-free.

PayPal President Hacked [2023 Update]

Leave a reply

Twitter, the modern equivalent of Mad Libs and the yellow journalism of the late 19th century, has revealed to us a gem of irony that makes the whole Target getting hacked story seem that much more poignant.

No one is safe in this bold new era of credit card hackers and identity thieves. Not even the president of a major payment processing company.

PayPal President David Marcus has been the victim of credit card fraud, he said on Monday. The leader of the online payments company revealed via Twitter that his credit card information had been stolen on a trip to the United Kingdom and he’d racked up a “ton” of fraudulent transactions on his account.

Smart Chip Didn’t Help

Marcus speculated that thieves probably skimmed the info from the magnetic stripe on his card, even though his card had an EMV chip, a technology that makes cards in Europe more secure than the ones commonly used in the U.S.

EMV® chip technology– or EMV — is a worldwide standard for credit and debit card payments based around the use of chip card technology. The acronym stands for Europay, MasterCard, and Visa, who collaborated to create the technology. The goal of this project was to create a card that worked based off of a microprocessor chip that is read by the payment terminal. Because the U.S. has yet to widely deploy embedded chip technology, the nation has increasingly become the focus of hackers seeking to steal such information. The stolen data can easily be turned into phony credit cards that are sold on black markets around the world.

Is it Just a Marketing Ploy?

Marcus adroitly used the incident as an opportunity to plug his own company, suggesting that the fraud wouldn’t have happened if the merchant had accepted PayPal. His company is currently trying to expand its presence as a payment option in physical stores, putting it in direct competition with platforms like Square and Google Wallet.

It also comes right when data breaches are major news in the payment processing industry. On December 19 2013, Target confirmed a sophisticated data breachoccured. In their press release they stated: “Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts.  Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.”

So Marcus’ misfortune happens right at the time identity theft, credit card fraud and hackers are on everyone’s mind. With EMV chip cards being touted as one of the best solutions to the hacking problem, Marcus’ mishap even taps into that buzz.

Heartland Payments Sues Mercury

Leave a reply

According to a story in the payment processing industry periodical Digital Transactions, Heartland Payment Systems Inc. filed a federal lawsuit on Wednesday against Mercury Payment Systems LLC. The suit alleged deceptive pricing by Mercury allowed Mercury to lure scores of merchants — well, 30 — away from Heartland and attract prospects to Mercury that had been weighing the two companies for payment-processing services.

Heartland filed  suit in U.S. District Court for the Northern District of California, San Francisco. The suit charges Durango, Colo.-based Mercury with false advertising, unfair competition, and intentional interference with contractual relations under the Lanham Act and related California law.

Specifically, Heartland alleged Mercury used inflated network fees to more than compensate for acquirer pricing that undercuts pricing from Heartland. This practice, Heartland alleged, made Mercury’s overall pricing appear to merchants to be lower than Heartland’s, when in fact it is higher. The practice has caused some 30 merchants to abandon Heartland in favor of Mercury over the past six months, Heartland said in the suit.

Heartland  examined roughly 300 Mercury merchant statements and found what it claims is deceptive pricing in 75% of those statements, the company said in its complaint.

In response to Heartland’s allegations, Mercury issued this statement on its website: “Mercury will vigorously defend against the lawsuit filed by Heartland. Mercury Payment Systems’ rapid growth in the electronic payments market is directly attributable to the value and flexibility we provide our merchants and partners, and we stand by our business and pricing practices. We are proud of our consistently high satisfaction rates and low merchant attrition rates among merchant acquirers over the past 10 years.”

Mercury chief executive Matt Taylor told Digital Transactions News Mercury does not engage in deceptive practices.

The Heart of the Matter

Here’s one example Heartland used in their complaint: A restaurant chain, compared pricing from various payment processing companies, including Heartland and Mercury.

Heartland indicated it would charge interchange fees at cost, plus seven (7) cents per transaction plus 0.02% of the dollar value of transactions and a $7.50 monthly service fee – all competitive or standard industry rates. Mercury’s bid indicated the same except for a 6.5 cents per transaction fee, half a cent below Heartland’s bid.

As a result, 50 of the chain’s 57 outlets switched from Heartland to Mercury for payment processing. Review of a 2013 merchant invoice from Mercury clearly demonstrates that Mercury was charging a falsely inflated interchange fee of four (4) cents per transaction, making their effective per-transaction fee 10.5 cents instead of their contractually agreed rate of 6.5 cents.

What Are Network Fees?

Network fees are assessed by Visa, MasterCard, and other card networks. Unlike interchange, which is set by the networks but flows from acquirers to card issuers, network fees flow to the networks themselves. In so-called interchange-plus pricing, both interchange and network fees are commonly understood to be pass-throughs to merchants.

When markups on network fees occur, merchants are often unaware of them because of the complexity of merchant statements, which discourages close analysis.

The Bottom Line

Heartland’s suit asks for relief in the form of three times damages as determined by the court as well as three times lost profits. It also asks for an injunction to stop Mercury’s alleged pricing tactics.

Remember When?

This revelation about Heartland comes at a time when the payment processing industry is still reeling from the news of the Target Data Breach.

The major hack of discount retailer of Target that stole credit and debit card data from 40 million accounts right smack dab in the middle of the holiday shopping season.

The sophisticated hack reportedly took place over several weeks — starting on Black Friday and possibly extending all the way through December 15th — and is said to involve nearly all Target stores in the United States. News of the hack was initially reported by noted security blogger Brian Krebs, who also broke the news in 2012 of the Global Data Breach.

Which is a reminder of Heartland itself, because in 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

Hacker

Hackers find new target: Mariott [2023 Update]

Leave a reply

Holiday Inn, Marriott Hotels Suspected Targets of Data Breach

The Official Merchant Services Blog has breaking news regarding the ongoing series of credit card data breaches. One the heels of the major hack of discount retailer of Target that stole credit and debit card data from 40 million accounts right smack dab in the middle of the holiday shopping season, there’s yet another target of hacker greed: Holiday Inn. Lodgers at Holiday Inns, Marriott and Renaissance hotels may have had their payment card details compromised for much of 2013 as revealed a hotel management company  on Monday.

White Lodging Services, a hotel management company, warned in a news release it suspects point-of-sale systems at restaurants and lounges on 14 of its properties were compromised between March 20, 2013 and Dec. 16, 2013. Guests who did not use their card at restaurants and lounges, as well as those who used their room account for purchases from those outlets, were not affected, the press release revealed.

The Merrillville, Indiana-based company said it manages hotels like Holiday Inn under agreement with hotel owners. The company is a separate entity from the specific hotel brands it operates. White Lodging Services said it has contacted federal law enforcement and initiated a forensic review of its properties. It runs more than 169 hotels in 21 U.S. states.

databreach1

The Full List

The full list of the food and beverage outlets affected by the suspected breach were located at the following hotels:

  • Marriott Midway, Chicago, IL
  • Holiday Inn Midway, Chicago, IL
  • Holiday Inn Austin Northwest, Austin, TX
  • Sheraton Erie Bayfront, Erie, PA
  • Westin Austin at the Domain, Austin, TX
  • Marriott Boulder, Boulder, CO
  • Marriott Denver South, Denver, CO
  • Marriott Austin South, Austin, TX
  • Marriott Indianapolis Downtown, Indianapolis, IN
  • Marriott Richmond Downtown, Richmond, VA
  • Marriott Louisville Downtown, Louisville KY
  • Renaissance Plantation, Plantation, FL
  • Renaissance Broomfield Flatiron, Broomfield, CO
  • Radisson Star Plaza, Merrillville, IN

 

White Lodging last week told the New York Times it was investigating a potential security breach, covered in a report from security writer Brian Krebs. The same Krebs who broke the news on the Target Data Breach as well as the Global Data Breach.

What Was Hacked?

The unlawfully accessed data may have included names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates.  Guests who used or visited the affected businesses during the nine month-period and who used a credit or debit card to pay their bills at the outlets might have had such information compromised and are encouraged to review their statements from that time period.

One idea posited on how this happened is RAM scraping. Attackers are planting malicious software, known as “RAM scrapers,” on POS devices, which capture unencrypted card details after a customer has swiped a card, defeating other security measures in place intended to protect sensitive details. White Lodging said customers’ names as printed on credit or debit cards, the card numbers, the cards’ security code and expiration dates may have been unlawfully accessed.

What’s Next?

Financial institutions have reissued some payment cards and are monitoring other credit and debit cards for unauthorized activity, the company said. White Lodging is also arranging to offer one year of complimentary personal identity protection services to all affected cardholders.

The unfolding disclosures have drawn the attention of the U.S. Congress. The House Energy and Commerce Committee is scheduled on Wednesday to hear from senior executives from Target and Neiman Marcus along with the U.S. Secret Service about how data breaches can be prevented.

Host Merchant Service’s PCI Compliance Initiative

Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available? PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

 

Credit Cards

Can Chip Cards Stop the Hax? [2023 Update]

Leave a reply

The massive data breach at Target is a big shining beacon illuminating exactly how behind the times the United States remains when it comes to credit card security — namely EMV® chip technology.

EMV is a worldwide standard for credit and debit card payments based around the use of chip card technology. The acronym stands for Europay, MasterCard, and Visa, who collaborated to create the technology. The goal of this project was to create a card that worked based off of a microprocessor chip that is read by the payment terminal. Because the U.S. has yet to widely deploy embedded chip technology, the nation has increasingly become the focus of hackers seeking to steal such information. The stolen data can easily be turned into phony credit cards that are sold on black markets around the world.

In fact, KrebsOnSecurity, the website that broke the news of the Target hack, has reported that the card information stolen in the Target Data Breach has been showing up on the black market. Credit and debit card accounts stolen during the security breach have reportedly flooded underground black markets, going on sale in batches of one million cards. The cards are being sold from around $20 to more than $100 each.

Over the last decade, most countries have moved toward using credit cards that carry information on embeddable microchips rather than magnetic strips. The additional encryption on these aptly named smart cards has made the kind of brazen data thefts suffered by Target almost impossible to pull off in other countries. Which is why as of Q4 2012, there were roughly 1.62 billion EMV cards in consumers’ hands and 23.8 million terminals deployed throughout Europe, Asia, and Africa. About 80 countries have adopted the technology as a standard. By comparison, about 1% ofcredit cards issued in the U.S. contain such technology, making the United States a tasty target for hackers.

“The U.S. is one of the last markets to convert from the magnetic stripe,” Randy Vanderhoof, director of the EMV Migration Forum told the LA Times. “There’s fewer places in the world where that stolen data could be used. So the U.S. becomes more of a high-value target.”

The credit card industry reports the U.S. accounted for only 24 percent of global credit card payments by volume in 2012, but it accounted for 47 percent of the fraud.

So Why No Chips in the U.S.?

According to experts the reasons the U.S. lags so badly in adopting smart cards are complicated. In part, there hasn’t been the political will to demand that businesses and financial institutions make the change. One might think the Target data breach would spur politicians to action or at least get consumers to light a fire under those politicians. But the Target hack is just one in a growing list of data breaches, and the 40 million compromised cards are rather mundane.

In April of 2011, the Playstation Network was hacked, compromising the vital information of 77 million accounts, and 24.5 million Sony Online Entertainment accounts. This has been touted as one of the largest personal data heists recorded in history, and prompted Sony to shut down its services for a month. In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

If neither of those data breaches could spur on the adoption of EMV cards, it’s unlikely the Target hack will move the needle. The inertia built up against the smart cards then must be due to some other reason Analysts also say the payment processing system in the U.S. is more complicated, with merchants, credit companies and banks reluctant to spend the big bucks it would take to convert a system with 1 billion credit cards to EMV from magnetic stripes. But that’s still too murky.

The primary reason such technology has taken so long to make its way into the U.S. is far more simple: Chip-embedded cards are more expensive to produce. Each merchant would have to purchase new equipment to hand them.

What the Future Holds …

The good news for consumers is that the U.S. is indeed moving to embrace smart credit cards. The Official Merchant Services Blog reported almost two years ago that the United States was moving slowly but surely toward adopting chip cards. Visa took the lead in the U.S. push, reporting that as of December 31, 2011, the credit giant had issued more than 1 million credit cards that use “chip” technology to store consumer payment information. Visa made an announcement in August 2011 hat it planned to start issuing more EMV — Europay, Mastercard, Visa — smart cards to push the industry toward better security and an easier transition to mobile payments.

In the last couple of years major card issuers have laid out road maps for upgrading the card technology, and many have set out to achieve this by October 2015.

TransFirst, Host Merchant Services’ acquirer and one of the premier providers of transaction processing services and payment processing technologies in the U.S., issued a mandate in response to the EMV push. TransFirst said that Visa will require U.S. acquirer processors and sub-processor service providers to be able to support merchant acceptance of chip transactions no later than April 1, 2013. Visa also intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale transactions effective October 1, 2015, and for fuel-selling merchants by October 1, 2017.

Ocotber 2015 was chosen because at that point major credit card companies will change their rules about who is liable for fraudulent purchases caused by security breaches. Under the new rules, the entity in the payment chain — merchant, credit card, banks — deemed to have the weakest security will be liable. Credit card companies can’t make anyone adopt the technology, but they’re giving them a hard nudge.

The Bottom Line

While the Target Data Breach once again brings up the topic of credit card security, it seems like the U.S. is still poking along with its slow adoption of EMV chip cards. Hackers will still continue to target the low hanging fruit that the largely magnetic stripe based U.S. credit card industry still works with. But EMV chips and increased digital security of cardholder information is coming. October 2015 looms closer and closer.

The Future of PCI and Data Security

Leave a reply

Today The Official Merchant Services Blog marks the triumphant return to the timely topic of PCI DSS and cardholder data security. This tantalizing topic has been touted time and again in the peerless pages of our payment processing chronicles.

Days of Future Past

The crafty criminals that defraud, hack and swipe courageous consumers for their cardholder data are a constant concern for the entire credit card processing and data security sector. The industry has to be ever vigilant in its commitment to curb the high tech criminal activities and keep that cardholder data safe.

Retailers need to be eagle-eyed when it comes to defending data and securing customer information. They also need to be prepared for disaster, with a protocol-based plan of action for the worst case scenario — the dreaded data breach. But none of these advance preparations will save a merchant from data breach dangers if the merchant is unaware of PCI DSS, what it all means and what the requirements for PCI Compliance are.

The misdirection and misinformation out there about the process of PCI Compliance has led to complacency among many merchants. Face front true believers, we’ve even expressed the fantastic facts and figures to support merchant apathy regarding PCI Compliance in previous published purveyances of PCI related blogs.

The media gloms onto the gargantuan headlines of something as garish as a Global Payments data breach and the searing spotlight of data security dazzles the masses with the terrifying tidbits of these capricious crimes. But the nature of the crime has the danger spreading to small business merchants more and more frequently in the past few years. In fact, this article from Convenience Store Decisions, it is suggested that the heinous hackers and nefarious fraudsters are backing away from the big fish and targeting the smaller retailers with easier to breach defenses.

The CS Decisions scribe John Lofsock posits that one of the prime reasons for this shift can be pinpointed to an alteration in the criminals’ own dastardly demographics. Today’s hacker is becoming less the angst ridden, misunderstood teenager with whiz-bang keyboard and coding powers and turning into a far more treacherous group of villains. As the article puts it, “When hackers run up against businesses with sophisticated information technology and up-to-date security, they’ll turn to easier systems, including those of small non-profit agencies and family businesses.”

Datapocalypse Now

So what does a merchant do? The hale and hoary Host Merchant Services PCI Compliance pioneers readily suggest utilizing their very own PCI Compliance Initiative.  PCI Compliance is a fantastic foundation for top notch transaction security. The superlative standards and powerful protocols set up by the powers that be on the PCI-DSS Council are a forceful first step any enterprising merchant needs to take to protect their data. This is why helpful Host Merchant Services offers a power-packed PCI Compliance Initiative that gets merchants quickly and seamlessly up to speed.

Add to that amazing Initiative the second step that Merchants can take to shore up their security: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind. This program offers data breach insurance.

The article from CS Decisions quotes Trinette Huber, of Sinclair Oil Corp. in Salt Lake City as saying “as a merchant, I can go through all the steps to do this and do it in good faith, and yet if I have a breach — which is entirely possible — the PCI council will say I wasn’t literally compliant.”

This is where breach insurance comes into play true believers. The Data Breach Insurance that cutting edge and customer-oriented companies like Host Merchant Services offers can curb the pernicious penalties that merchants face when a breach occurs. As we’ve stated time and again here on The Official Merchant Services Blog, security only begins with PCI Compliance. It’s a never-ending battle for safety, justice and the power of payment processing. Merchant Services providers need to work in conjunction with merchants to stay out in front of any and all security issues. And even then, disaster can occur, so a solid data security plan will have backup protocols like data breach insurance.

The CS Decisions article also quotes Huber as saying that PCI “is asking thousands of merchants to do something (the credit card companies) should be doing themselves. They should be fixing the magnetic stripe (in credit/debit cards) so it’s not something that can be easily stolen, instead of asking merchants to fix (the security issues) for them.” 

That concern right there is why Visa has been pushing so hard for its EMV chip program with newer, more secure smartcards that have worked so well in Canada and Europe. Huber is noted in the article for describing the overbearing cost that the switch to EMV could entail for small business owners, as well as the fact that the EMV chips have been in place for decades and have already had data compromised before.

So if not EMV, Then What?

Will no canny crusader for competent credit card processing and dependable data transfer step up to take the challenge presented by the PCI DSS? John Lofsock, the audacious author of the article we’ve been analyzing, thinks that Point to Point Encryption (P2PE) might be the champion the industry needs. This tantalizing technology that is newer than EMV chips apparently ensures that credit card data is protected from the moment it is swiped all the way through to the nanosecond it arrives with the payment processor. This could curry favor with retailers because it completely eliminates the need for the retailer to secure cardholder data, as the retailer never has possession of said data.

The real boon, as noted by Lofsock, is that the P2PE method will make it much cheaper for merchants to be PCI Compliant by removing the need for merchants to deal with network segmentation and other costly and time-consuming parts of the compliance process like the audit.

It is noted that PCATS and PCI are preparing future standards that deal with P2PE so it is on their radar.

In the meantime, Host Merchant Services continues to offer the lowest PCI Compliance rates in the industry, as well as a vigorous PCI Compliance Initiative that seeks to inform and educate everyone interested as to the details of the process, step-by-step.

Global Data Breach: Update #3

Leave a reply

For today’s installment of The Official Merchant Services Blog, we are bringing you the most recent developments of the now infamous Global Payments Data Breach.

Back in March

When we first reported the breach, it had supposedly affected 50,000 cardholders and revolved around a taxi and parking garage company in the New York City area.  Over a short time, media outlets hyped up the story until the alleged number of affected cardholders hit 10,000,000.  Global CEO Paul Garcia estimated that closer to 1.5 million card numbers were compromised. Garcia also said that the breach was “self-reported” and “absolutely contained.”

In a quick response to the breach, Visa decided to remove the Atlanta-based processor from its list of “compliant service providers.”  This meant for the first time, Global would no longer be Payment Card Industry (PCI) compliant, a major problem for one of the world’s largest payment processors.  However, more consequences were to come for Global.

Update # 2

In May we learned that the breach might have actually dated back to June of 2011, a full eight months earlier than previously predicted.  Global stuck by it’s story that that the breach only affected 1.5 million cards or less, and occurred in February 2012.  The initial source of the breach, however, Brian Krebs and his blog krebsonsecurity.com revealed that “a hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week.”  Krebs also found that Visa and MasterCard were sending periodic alerts to the banks about cards that may need to be re-issued following a security breach at a processor or merchant.

The 3rd time’s the charm

Global Payments executives estimated Thursday that the data breach revealed earlier this year could cost them upwards of $120 million to fix.  A large part of which is an $84 million dollar charge from the fourth quarter of fiscal year 2012 to cover fines and initial remediation costs from the payment card networks.  Global CFO David Mangum said that the company also anticipates breach-related expenses and insurance payments in fiscal 2013 that could total $28 million or more.  All the while, Global is working with a ‘Qualified Security Assessor’ in order to regain the PCI compliance certification they lost when the breach went public.

Tracking Track Data

Track data, is the raw cardholder data contained in a magnetic strip in a credit or debit card.  In late May, Global asserted that only Track 2 data had been lost in the breach, which contains account numbers and expiration dates.  Track 1 data contains cardholder names, addresses and other crucial data.  Global seemed to be insisting that this would lead to less fraud since the thieves could not produce counterfeit cards with the stolen data.  Union Savings Bank, based in Danbury, Conn was one of the banks alerted by Visa and MasterCard early, about potential fraud.  Visa alerted USB that about 1,000 of its debit accounts were compromised in the Global Payments breach.  These details show how Track 2 data alone was enough for criminals to encode the card numbers and expiration dates onto any card equipped with a magnetic strip.  These cards can then be used at any merchant accepting signature debit, any transactions that do not require the cardholder to enter a PIN number.

Host Merchant Service’s PCI Compliance Initiative

Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available? PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

Global Reveals More About Data Breach [2023 Update]

Leave a reply

Today The Official Merchant Services Blog is updating its coverage of the Global Payments Data Breach. The big bomb Global just dropped is that apparently there was a second data breach.

The story, initially broken by Ellen Messmer at Network World stated that Global Payments itself revealed this latest news.

Data Breach II: Credit Card Boogaloo

From the Global Payments Website:  “The Company’s ongoing investigation recently revealed potential unauthorized access to servers containing personal information collected from a subset of merchant applicants.  It is unclear whether the intruders looked at or took any personal information from the Company’s systems; however, the Company will notify potentially-affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost.  The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the Company’s U.S. merchant applicants.”

So What Was Compromised?

This second breach compromised the personal information of a subset small merchants that applied to be clients of Global Payments — and the company stressed that this set of merchants was different than the ones exposed in the first breach. The exposed information includes the sort of personal information the Atlanta processor uses as part of its underwriting process. The company stressed that it does not have evidence that any fraudsters obtained or misused the merchant applicants’ information — but the servers that contained that information were possibly accessed by an unauthorized party. Last time we updated this story, we provided information from Brian Krebs about how information from the first data breach could have been used by fraudsters.

Something to keep in mind regarding Global’s claims that the second breach did not lead to fraud is that Global still maintains that the information that was compromised in its first breach was not involved in fraud — even after Krebs dug up examples of fraud happening to Global customers in his blog entry here.

Wait, What?

The author of the official updated statement released by Global — Jane Elliot from Investor Relations — added this caveat to the statement: “This announcement may contain certain forward-looking statements within the meaning of the ‘safe-harbor’ provisions of the Private Securities Litigation Reform Act of 1995.  Statements that are not historical facts, including management’s expectations regarding future events and developments, are forward-looking statements and are subject to significant risks and uncertainties.  Important factors that may cause actual events or results to differ materially from those anticipated by such forward-looking statements include the following: further results of the continuing investigation of the unauthorized access of our processing system, including the discovery of additional card data or information implicated in the incident; the effect of our remediation efforts on operations; the impact of fines or penalties from the card networks and state authorities on our results of operations; and other risks detailed in the company’s SEC filings, including the most recently filed Form 10-Q or Form 10-K, as applicable.  The company undertakes no obligation to revise any of these statements to reflect future circumstances or the occurrence of unanticipated events.”

That reads like a very wordy hedge against the way this story has evolved to date. To put it another way, much of what Global has already stated, including clinging to the claim that the breach is contained and the number of compromised cards was just 1.5 million, has already been contradicted by information revealed by Visa and MasterCard.

Visa and MasterCard issued new alerts on May 15 suggesting the breach dated back to January 2011 — an exposure window significantly longer than what was originally reported by Global when news of the breach surfaced in late March. Visa’s alerts in March, which Brian Krebs used to break the story,  indicated the breach occurred sometime between Jan. 21, 2012, and Feb. 25, 2012. Global used those alerts to help underscore their assertion that the breach was small and contained. But on April 26, an updated advisory from Visa put the suspected intrusion date closer to June 7, 2011. Setting the length of exposure for compromised cards back six months. And then Visa and MasterCard released information that pushed the date back an entire year from the initial alert, to January 30, 2011. This vaults the figure of compromised cards to 7 million — much higher than the 1.5 million “or less” suggested by Global in their official statement.

All this contradiction over the length and severity of the breach had  been met with silence from Global Payments. They had offered no further comment other than to link to their website. But with this latest batch of statements, they’re now adding that very long caveat. And they apparently intend to clear matters up even further in June. The Company plans to provide additional information regarding the potential financial impact, the PCI compliance process and the status of the investigation not later than its July 26, 2012 year-end earnings call according to Paul R. Garcia, chairman and CEO of Global Payments.

The Official Merchant Services Blog will be following this story as close as ever now. It’s getting more complicated and convoluted. Hopefully that earnings call will clear the air a bit. But it still seems like the reporters digging into this, as well as Visa and MasterCard have a very different set of facts than the ones Global is sharing with people.