Global Payments Security Breach

Earlier this spring, Visa and MasterCard announced that a breach in security of information concerning credit cards and credit card holders had taken place. They detailed the breach as having taken place between January 21 and February 25 of 2012. Banks were warned about the activity as it could potentially have an impact on existing cardholders.

Credit card with lock on keyboard

A wave of panic swept through anyone who held a Visa or MasterCard. Some people cancelled their cards while others just relied on the banks that held the cards to do damage control and make sure that if their information wasn't safe, they were at least insured and not liable for any fraudulent transactions.

As the logic of cause and effect set in, it was assumed that security concerning identification and financial information within these companies and others like them would be tightened up. Given the data that these companies have and the ability to discover that there ever was a breach at all, it was largely assumed that this data would be used to develop more secure methods of processing and holding information. The public assumed incorrectly and once again, a new breach occurred.

Global Payments Security Breach

Global Payments Inc. discovered a data breach in early March of 2012, after the news about the breach in Visa and MasterCard had been announced and presumably, contained. However, Global Payments Inc. seeks to correlate the two events so that they seem to be one. The numbers just don't match up for the event to be one solitary incident.

Are The Two Incidents Connected?

If the two issues are connected, then it stands to reason there may be more data leaks in existence that simply have not been discovered yet. When it comes to Global Payments Inc., the information that was breached had to do with merchant processing. When cardholders try to use their credit cards to pay for items they are trying to purchase, Global Payments Inc. receives that information. Apparently, so did an unknown third party.

What Was Compromised?

While Global Payments Inc. insists that the incident is contained and that the only information the suspects had access to were credit card numbers, there is still some speculation that information such as addresses, names and driver's license numbers were also at risk. Global Payments discovered that a database that stores merchant's private information appeared to be breached.

If personal identifying information was exposed during this data breach, cardholders everywhere are at the mercy of those who have that information. It is possible with this information to apply for more lines of credit in the way of loans and credit cards. Since many of these applications are now processed online, there is no longer the security about having to appear in person to apply for these lines of credit.

The most hopeful scenario is that only the credit card numbers were taken. This information still leaves consumers open to the possibility of credit card fraud. And while some companies require the three security numbers found on the back of the card before they process any orders, not all do. For those who do not require this information, it is very easy to order items just by using the credit card number.

The disturbing part of this entire scenario is that Global Payments Inc. is trying so hard to present this breach as being one in the same as the breach with Visa and MasterCard. However, the two incidents happened in entirely different time frames, so they are either separate incidents or the entire breach is much larger and better coordinated than anyone had originally suspected. Naturally, Global Payments Inc. is limited in how much they can reveal at this point since the investigation is ongoing. They are unwilling to present information that could assist those who are involved in the breach.

Consumer Action

For now, there is not much that consumers can do about the situation in the way of damage control other than keeping an eye on each card they have. Consumers might also cancel current cards and ask for replacement ones so that they get new numbers to replace the ones that may have been involved in the incident.

While you can't stop things like this from happening when the issue is within a company and not from your own actions, there is a lot you can to make sure that you aren't putting yourself at risk through your own shopping and bill payment methods.

If you pay your bills online, be sure to clean your cookies and browsing history after the payment was made. You should also make sure that the site you make your payments on is a secure one. It is always a good idea to change you pin number occasionally, just like you should change your password on various sites occasionally.

When you shop using your credit card at an actual store, be smart about how you make your payment. Turn your body so the numbers on the card are not visible to the person behind you. If need be, cover the pad with your hand while typing in your pin number. One easy way to avoid allowing people to see the numbers on your card or your pin number as you put it in is to make sure to keep your shopping cart behind you rather than in front of you. This limits the ability for the person behind you to see small details such as credit card number or a pin number as you put it in the system.

Make sure your bank or cardholder is working for you. If they do not have a fraud protection system in place that protects you and your funds in the case of credit card theft or fraud, they are not a company worth banking with. It is also a good idea to purchase fraud protection insurance if you can.

Visa's Response To The Global Payments Security Breach

Updated on August 20, 2012

On Friday, March 30, 2012, Global Payments, a little-known card payment processing company based in Atlanta, Georgia, confirmed a potential security breach that industry insiders suspected could have affected potentially hundreds of thousands of customers who pay with Visa or Mastercard. By April 1, 2012, the number of affected individuals was up to one and a half million or even more. Investigators were furiously trying to uncover exactly what information had been accessed when Global

Payments' systems were viewed without authorization. The U.S. government, and the public, were demanding ways to make credit card payments more secure, as well as that action be taken to keep card users safe. Meanwhile, a team of experts worked overtime at Global Payments to both contain the breach and find the root causes, while Visa and Mastercard sought ways to save their own solid company reputations in the wake of the security breach.

Companies Strategize On How To Cope With The Breach

Krebs On Security blog was the first to break the story to the public on Friday morning, with blogger Brian Krebs alarming the public that as many as ten million people could have been affected. Immediately following, Bank of America Corp., J.P. Morgan Chase and Co., and Discover Financial Services all had administrative staff working the case and determining when to reissue bank cards and how many reissues would be necessary.

Global Payments provides the processing center link between the banks themselves and retailers who wish to accept payments via bank cards. The initial size of the breach was suspected on the blog and in the media to be smaller because of the relatively small size of the breach, even though as a payment processing center, Global Payments does have access to vast amounts of sensitive customer financial information.

Banks issuing the cards struggled through larger security breaches that occurred in the past several years before this, and were keenly aware of the level of administrative costs that cleanup might incur. Card reissues, for instance, are oftentimes a larger administrative cost than the actual fraud itself. Both Visa and Mastercard knew they would also need to take action, to save face with the public as well as ensure that secure processing centers were being used for accepting payments. Each of those two companies were quick to confirm, however, that their own security systems had not been breached.

Visa Punishes Global Payments

Visa and Mastercard both sought to rectify the security situation, issuing non-public alerts about Global Payments' security breach to their network of banks and monitoring the card processors' efforts at hiring an independent investigator to look into the issue. Visa took the next step in making customers aware that Global Payments let them down: Visa removed the company from its list of approved service providers.

Although the move does not mean that merchants are barred from using Global Payments to process Visa card purchases, it had a major negative impact on the company's public image. The removal also brought further publicity to the issue, and forced Global Payments to fully assure that they were in compliance with Visa's policies. In a show of good faith, Visa did apply Global Payments to re-apply for approved vendor status when they could provide proof that they were in full compliance with the rules.

During The Independent Investigation

Paul R. Garcia, Chairman and CEO of Global Payments, issued a formal apology to the public about the breach and informed everyone of the independent investigation team that had been hired. Payment processing services, he said, would not be interrupted.

The services thus were continued despite the revoke of approval by Visa. Mastercard did not opt to interrupt services with Global Payments, stating instead that they would await further information and review the evidence of the investigation. All potentially affected customers were notified in writing that they may have been the victim of the security breach, and customers were then offered monitoring services and identity protection insurance free of charge, all provided by Global Payments and affiliates.

These measures were meant to put customers' minds at as much ease as possible, yet keep them apprised of the situation at hand. Visa experienced a technical difficulty shortly after the breach, leaving debit and credit card users unable to make transactions for about forty-five minutes; the technical problem was quickly acknowledged to the press but confirmed to be unrelated to the security breach itself despite time coincidence.

The Aftermath Of The Security Breach

Global Payments made the announcement at the end of the day and took other measures to prevent a complete plummet of its stock prices, including halting trades early. Despite stock prices sharply dropping, some experts still speculated that the payment processing company would recover from the incident. During the second week of June, 2012, the company confirmed that the breach was contained, and made a statement regarding the extensive progress that had been made by its independent investigation team.

The information in the leak was most likely limited to card numbers and expiration dates, or what the investigators called 'Track 2' data. Beyond this, it was not clear to the team whether or not other pieces of personal information such as names, addresses, birth dates, and so forth, had been accessed or viewed by the hackers.

All potential victims have their credit histories flagged for seven years, the main advantage of this being that they will receive a phone call from a grantor if someone attempts to open an account in their name.

The Effect On Global Payments

Reports by the end of July, 2012 indicated that quarterly profits had plummeted ninety percent. Despite the fact that the 1.5 million potentially affected cardholders was a relatively low number considering the much larger size and scope of other recent security breaches, the total cost to Global Payments was officially listed as $84.4 million before tax. Company revenue, however, continues to grow at relatively strong rates, and the company continues normal operation and expansion despite the setback.