For today’s installment of The Official Merchant Services Blog, we are bringing you the most recent developments of the now infamous Global Payments Data Breach.
Back in March
When we first reported the breach, it had supposedly affected 50,000 cardholders and revolved around a taxi and parking garage company in the New York City area. Over a short time, media outlets hyped up the story until the alleged number of affected cardholders hit 10,000,000. Global CEO Paul Garcia estimated that closer to 1.5 million card numbers were compromised. Garcia also said that the breach was “self-reported” and “absolutely contained.”
In a quick response to the breach, Visa decided to remove the Atlanta-based processor from its list of “compliant service providers.” This meant for the first time, Global would no longer be Payment Card Industry (PCI) compliant, a major problem for one of the world’s largest payment processors. However, more consequences were to come for Global.
Update # 2
In May we learned that the breach might have actually dated back to June of 2011, a full eight months earlier than previously predicted. Global stuck by it’s story that that the breach only affected 1.5 million cards or less, and occurred in February 2012. The initial source of the breach, however, Brian Krebs and his blog krebsonsecurity.com revealed that “a hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week.” Krebs also found that Visa and MasterCard were sending periodic alerts to the banks about cards that may need to be re-issued following a security breach at a processor or merchant.
The 3rd time’s the charm
Global Payments executives estimated Thursday that the data breach revealed earlier this year could cost them upwards of $120 million to fix. A large part of which is an $84 million dollar charge from the fourth quarter of fiscal year 2012 to cover fines and initial remediation costs from the payment card networks. Global CFO David Mangum said that the company also anticipates breach-related expenses and insurance payments in fiscal 2013 that could total $28 million or more. All the while, Global is working with a ‘Qualified Security Assessor’ in order to regain the PCI compliance certification they lost when the breach went public.
Tracking Track Data
Track data, is the raw cardholder data contained in a magnetic strip in a credit or debit card. In late May, Global asserted that only Track 2 data had been lost in the breach, which contains account numbers and expiration dates. Track 1 data contains cardholder names, addresses and other crucial data. Global seemed to be insisting that this would lead to less fraud since the thieves could not produce counterfeit cards with the stolen data. Union Savings Bank, based in Danbury, Conn was one of the banks alerted by Visa and MasterCard early, about potential fraud. Visa alerted USB that about 1,000 of its debit accounts were compromised in the Global Payments breach. These details show how Track 2 data alone was enough for criminals to encode the card numbers and expiration dates onto any card equipped with a magnetic strip. These cards can then be used at any merchant accepting signature debit, any transactions that do not require the cardholder to enter a PIN number.
Host Merchant Service’s PCI Compliance Initiative
Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available? PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.
Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.