Tag Archives: global payments

Data Breach Consequences [2023 Update]

Leave a reply

Today The Official Merchant Services Blog is going to delve into the bigger picture of the impact that the Global Payments Data Breach is going to have on the payment processing industry. Obviously this news is going to have a huge impact on Global Payments itself. The company faces a big penalty after Visa dropped it from its registry of compliant service providers due to “unauthorized access into a portion of (Global Payments’) processing system.”

Fees and penalties related to reacquiring its compliance status and getting back on the registry will add up. In fact an executive from Co3 Systems, a data loss management firm, estimated the potential liability for a merchant with 1 million cards compromised could top $1.6 million from compliance fines alone. With Global’s own official statements indicating that the number of cards that were compromised being less than 1.5 million, the Co3 estimate is probably right in the ballpark of what Global faces.

The company also will take a hit to its business simply because of the breach itself and being dropped by Visa. While they are off the list, some potential customers may not be able to sign with them due to the lack of compliance status. And if the process to be reinstated takes too long, it could affect some of their current customers.

But there’s a larger context that needs to be considered with this data breach: PCI DSS itslef.

We’ve covered PCI Compliance very extensively in the blog. We looked at a report from Verizon last year that suggested 79% of organizations Verizon surveyed were found to be non-compliant in their initial audit in 2010. The study from the previous year had 78% of organizations were non-compliant. A study by Gartner Research demonstrated that 18% of merchants they surveyed were not PCI Compliant at all.

What is PCI?

These studies just underscore the large problem payment processing faces with security. The acronym PCI DSS stands for Payment Card Industry Data Security Standards. PCI Compliance is essentially the process of adhering to the standards set forth by the Payment Card Industry Data Security Standards Council (PCI DSS). You can review those standards in greater detail here. Essentially the standards are a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.

What’s the Problem?

One of the biggest criticisms of the PCI DSS is that it is the minimum agreed upon set of security protocols. Because of its nature as a consensus set of standards put together by the council, PCI is often criticized for being behind the curve or not being thorough enough to deal with the hackers who are trying to get at the data and breach the security of the transactions. Combine that with the studies that keep showing merchants are not keeping their compliance current or not even becoming compliant in the first place and you open the door for a lot of criticism against the system designed to keep transactions safe and secure.

Taylor Armerding wrote a compelling article for CSO Online on the issue of PCI compliance in the aftermath of the latest data breach.  The lead statement of the article underscores the issue simply and effectively: “The latest data security breach to strike MasterCard and VISA has security experts focusing anew on the good and bad of PCI DSS. On one hand, the standard offers a clear blueprint on how to handle such a breach. On the other hand, compliance is usually not the cure, as this latest incident demonstrates.”

To add emphasis, Armerding quotes Neil Roiter, research director at Corero Network Security, as saying: “The Payment Card Industry Data Security Standard (PCI DSS) is highly prescriptive in nature, but simply complying does not ensure credit card security. Companies that rely on PCI DSS to solely dictate their security measures will continue to remain vulnerable to attack.”

The Weak Link

Armerding’s article suggested that compliance isn’t the be-all-end-all for security and that humans were still weakest link in the system. Quoting Anup Ghosh, founder and CEO of Invincea, a developer of browser protection systems, the article says that too much of the security standards are stuck in the past. Ghosh also suggests that PCI is complacent and easy for hackers to circumvent. Ghosh says that the systems in place are more designed to tell you what happened after the fact, being a reactive solution rather than a proactive solution. Ghosh then suggests that the data that was compromised was likely encrypted, but the security standards are behind the curve where it really counts: The Human Layer of Security.

Ghosh explains: “If I target employees, which is how you target these days, it is not very hard in phishing campaigns, to get employees to open an email or click on a link, which then provides access to their desktop and the privileges that come with it. [And in that case] Encryption is worthless.”

He then suggests a more proactive step of creating a more secure virtual environment for employees to work in so that whatever an employee clicks doesn’t end up compromising any data in the system.

PCI is Still Very Important

What Armerding and Ghosh say about PCI is quite compelling. But they both still point out that PCI Compliance is very important for merchants and payment processors. The standards may be behind the curve with the ever-clever hackers going after credit card data, but they set a starting point for security. They set the bar high enough that hackers have to put in work to circumvent the systems. Having PCI is so much better than not having it — which demonstrates how scary the Verizon and Gartner studies are.

Host Merchant Services advocates and performs a very zealous crusade for PCI Compliance. The company takes data security and safe transactions seriously and makes PCI Compliance a part of its value-added service package. HMS began a PCI Compliance Initiative last year that started with an ad campaign that offered for a limited time free PCI Compliance fees for merchants who signed up during that time. It then extended into an initiative run through a partnership agreement with HostMySite.com that offered a free PCI and Security Analysis to any customer interested, and now that same offer is available to anyone interested in Host Merchant Services, partnership or no partnership. The company provides on-call assistance with PCI Compliance questions and problems and will help all of its merchants get through the process with tips and advice from Host Merchant Services’ own PCI Compliance experts.

Tomorrow The Official Merchant Services Blog will follow up with the latest developments from the data breach, as well as more information about PCI Compliance, and PCI DSS issues that the payments industry and the tech industry are discussing.

For More Information

For more information about PCI Compliance, Host Merchant Services offers these resources:

PCI Compliance FAQ

Merchant Services Document Download Graphic

PCI Compliance Guide

Merchant Services Document Download Graphic

More on the Data Breach [2023 Update]

Leave a reply

Following up on our continuing and extensive coverage of the Global Payments Data Breach, The Official Merchant Services Blog has some new tidbits to report from the man who initially broke the story — Brian Krebs.

Krebs felt he needed to respond to the Global Payments conference call delivered by company chairman and top executive Paul Garcia.

In that call Garcia said, “There’s a lot of rumor and innuendo out there which is not helpful to anyone, and most of it incredibly inaccurate. In terms of other timelines, I just cannot be specific further about that.”

Krebs took that ambiguous commentary as a specific reference to his own reporting of the incident — notably that Krebs’ reports offered a different timeline than the one Global had been offering, Krebs’ reports offered a culprit in the data breach (citing Dominican Street Gangs and a New York City cab company and garage), and Krebs’ reporting suggested that at least 876 fraudulent cards had already been discovered as having been in use as a result of the breach while Global stated no fraudulent transactions were linked to the breach.

So there were definitely some differences in what was being reported by Krebs and being discussed, however grudgingly and tight-lipped, by Global in its official statements. It had gotten to a point of such discrepancy that Krebs was entertaining the idea that the Global breach wasn’t the breach he had initially reported. Krebs believed there might be another breach, still unverified, that fit his reporting better. As Krebs wrote on his blog: “Indeed, given GPN’s statements thus far, I continue to be nagged by the possibility that my initial reporting may have been related to a separate, as-yet undisclosed breached at another processor.”

But until another breach actually surfaces, Krebs continues to treat the Global breach as the one he had heard about and reported.

The Number Skew

The first topic Krebs addressed in response to Global’s statements and commentary was the number of compromised cards that Global reported versus the number of compromised cards the Wall Street Journal initially suggested. Krebs notes that the language Global is using in reference to the numbers is distinct and different from the language other companies have used in the past in terms of previous data breaches.

From an abcnews.go.com article“Brian Krebs, the security expert who reported about Visa and MasterCard’s

security breach on Friday, said GPS is only stating how many accounts it believes were ‘exported,’ which focuses on the number of accounts or card numbers that a forensics expert could reasonably argue were offloaded or downloaded from the company’s systems. “What GPS has not said is how many transactions they processed — and potentially compromised — during the time between when they discovered the breach,” Krebs said, which was early March, according to Global Payments, “and when they ‘contained’ the breach [in late March].” Krebs said the number of transactions or card numbers potentially exposed while the company was actively compromised ‘is probably far larger than the 1.5 million number they are citing in their statements, because those statements appear to be based on a figure that the company can say with relative certainty were downloaded or copied from its systems.’ “

Change in Web Hosting

The next tidbit Krebs offered was that Global changed its web hosting company in February: “For the past two years, GlobalPaymentsInc.com has been hosted at MaximumASP, a hosting provider in Louisville, KY. On Feb. 20, 2012, the company moved its Web site toAmazon’s EC2 cloud hosting service. MaximumASP declined to answer questions about possible reasons for the switch, citing customer confidentiality policies.”

This change in hosting appears to take place in the timeline that Krebs has offered as when the breach happened, and just a short time prior to the time when Garcia says the company discovered they had been breached.

Data Breach Chart From Visa

The next tidbit Krebs offered was a chart detailing the anatomy of a data breach. Krebs felt it was significant to note that there is a time period that Visa calls the window of vulnerable transactions.”  And Krebs also notes that the chart shows that discovery of the breach may or may not happen after the start date of the breach. All of this is an attempt to further investigate the timeline that Krebs is trying to construct even in the face of Global’s vague commentary about said timeline.

Hacker Makes Bold Claims

The last tidbit Krebs pointed out was that there are reports that the breach was far more extensive than was being reported.

Krebs cites a New York Times article: “The New York Times in a story published Saturday cited unnamed sources saying that this was the second time in a year that Global Payments had experienced a breach.”

Krebs then backs that claim up with a source of his own: “I have heard likewise from an anonymous hacker who claims the company was breached just after the new year in 2011.  The hacker said the company’s network was under full criminal control from that time until March 26, 2012.”

Krebs’ hacker source also claimed that hackers had been capturing data at regular monthly intervals from the company’s network for 13 months. They were gathering data on a total of 24 million unique transactions before they were shut out.

And Krebs tried to verify the authenticity of his source: “When asked if he had evidence that would back up his claims, the hacker produced a Microsoft Word document with Global Payments’s logo entitled “Disaster Recovery Plan TDS US: Loss of the Atlanta Data Center.” The document appears to have been created on May 6, 2010 by Raj Thiruvengadam, who according to LinkedIn.com was an Atlana-based Oracle database administrator for Global Payments from May 2006 through August 2011.”

What it all Means

Well at its most basic, there is a discrepancy between the information Global is releasing and the information that Krebs is uncovering. There very well may be a separate breach that Krebs was given the information on. As Krebs noted himself, in his initial report he did not mention Global at all. There also may be a separate or longer breach that happened to Global. Or it might be as Krebs suggested to ABC News, a purposely chosen metric for the numbers that doesn’t take into account something like “window of vulnerable transactions.”

Krebs and Global will most likely be advancing this story throughout the week and The Official Merchant Services Blog will keep you up to date on those details.

Global Payments Data Breach  [2023 Update]

Leave a reply

The Official Merchant Services Blog tackles the big news in the payment processing industry today: The Global Payments Data breach.

The news of this data breach hit on Friday and the weekend has seen some wild speculation tossed about. At first there were reports that a mere 50,000 cards were compromised. Then the media upped the number to 10,000,000. Today Global Payments and the media sources covering the story are reporting that the number is closer to 1.5 million cards.

The Story So Far …

The breach was first reported by blogger Brian Krebs at KrebsonSecurity.com. He said on Friday that Visa and MasterCard were alerting banks across the country about a recent major breach at a U.S.-based credit card processor. The first report cited as many as 10 million cards were compromised. By that afternoon Krebs revealed that the processor was Global Payments, and that the breach was discovered in early March 2012. Krebs cited the breach as occurring between January 21, 2012 and February 25, 2012. The alerts issued by Visa and MasterCard, according to Krebs, stated that Track 1 and Track 2 data was taken — which Krebs said meant that the information could be used to counterfeit new cards.

Then the media got more involved.

The Wall Street Journal followed up Krebs blogging with a story about the breach, making the news official. Global remained silent throughout the day, only confirming the report after the close of the markets and trading.

The rabid interest in the data breach sparked an interesting article by USAToday, which expanded on Krebs’ own reporting. Krebs stated that he had heard from his sources that investigators suspect Dominican street gangs were involved in the fraud, focusing mainly on commercial credit and debit card accounts. The article then cited Garnter banking security analyst Avivah Litan, who claimed that the breach involved a taxi and parking garage company in the New York City area. It was suggested that consumers who had paid for a NYC cab in the previous months using the new swipe technology might be victims of the breach and possible fraud. Litan also said she too had heard about a Central American gang connection.

Global’s Statements

Finally Global Payments started talking. The breach was verified by Global. Paul Garcia, Global’s chairman and chief executive, said in a statement that the breach was reported by the company to the FBI — suggesting that the company promptly identified the breach and reported it to the authorities. They’ve now called it a “self-reported” breach. However, media sources do note that the news about the breach still had to be dragged out into the spotlight by Krebs and his blog.

After confirming the breach Garcia stated that the breach was “absolutely contained” and stated that there had been no “fraudulent transactions” related to the breach.

However, the Green Sheet reported on Friday that Krebs had reported that PSCU Financial, a nonprofit cooperative credit union service organization, told its members 56,455 Visa and MasterCard accounts had been compromised, but fraud was found to have occurred in only 876 accounts so far.

Garcia stated that 1.5 million card numbers were compromised by the breach and re-affirmed that no fraud had taken place related to the compromised cards. “This is manageable,” Garcia said.

Visa Takes Action

In response to the data breach information hitting the spotlight, Visa took action against Global Payments. Visa removed Global Payments, an Atlanta company that helps the payment giant process transactions for merchants, from its list of “compliant service providers.”

Garcia in his statements to the press acknowledged that Visa had removed Global Payments from its compliance list pending resolution and remediation of the breach and that it was working “as expeditiously as possible” to return to compliance. The process would take “not days, but we don’t think it’s months.” In other words, Global was not going to be able to fix their PCI status quickly. Global Payments continues to process Visa cards worldwide according to Garcia.

Both Visa and MasterCard say their own systems weren’t compromised. Both credit card issuers had said Friday that they notified their card holders of the potential for identity theft and illicit charges because of the breach.

The Consequences

Global has not yet identified the size of the charge it will take as a result of the breach. But it is interesting to note that Heartland Payment Systems racked up a cost of $12 million in penalties and legal fees when its data breach compromised more than 120 million credit cards.

The Official Merchant Services Blog will be devoting much of its coverage to this developing story. Tomorrow we’re going to take a look at any updates as well as how this issue fits into the ongoing news regarding PCI security and compliance. Data Breaches have been a topic this blog has covered before. Though we’ve focused more on the breaches that affected video game companies like Sony and Turbine last year, our coverage was written with an eye toward the big picture problem of data breaches in general and compromised credit card information. So expect us to try and tie it all together through our focus this week.

Also …

And one last thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.