Merchants, consumers on hook due to card processor breach

March 30th, 2012

Merchants and consumers could be the big losers in the latest case of hackers cracking the complex systems used to process credit and debit card transactions.

Visa and MasterCard acknowledged Friday that they’ve been alerting banks about a major breach of an unnamed payment card processing firm. The Wall Street Journal, citing unnamed sources, named Atlanta-based Global Payments as the processor in question.

Global Payments declined interview requests.

Security blogger Brian Krebs, who broke the story, says thieves cracked into the processor’s systems between Jan. 21 and Feb. 25, and may have swiped more than 10 million credit and debit card transactions records, originating from an unknown number of merchants, banks and credit unions.

Litan

Gartner banking security analyst Avivah Litan says unverified reports point to a New York City street gang with Central American ties taking over ” an administrative account that was not protected sufficiently.”

“I’ve spoken with folks in the card business who are seeing signs of this breach mushroom,” says Litan.

MasterCard issued a statement advising cardholders to contact the financial institution that issued their cards with any concerns. Visa emphasized that no Visa systems were breached.

However, criminals know better than to try to waste time on highly defended systems, and have been consistently successful cracking support system. “Sooner or later they find some weakness in the highly complex chain of systems that they can exploit,” says Geoff Webb, of data security firm Credant Technologies.

Credit card processors have been breached before. Heartland Payment Systems lost 130 million payment card records generated by 250,000 merchants and restaurants in 2008 -2009.

It’s not just card processors that are being targeted. Last year hackers stole payment card information for more than 100 million customers of Sony’s PlayStation Network.

And earlier this year online shoe retailer Zappos disclosed hackers took e-mail and shipping addresses, phone numbers and account passwords for some 24 million customers, data useful for identity theft.

“Any business that’s capturing payment data is a target,” says Mark Bower, analyst at Voltage Security.

Consumers whose debit card account information landed in criminals’ hands with this latest breach are at heightened risk. That’s because gangs are adept at quickly manufacturing faked cards to make large cash withdrawals from ATMs. And the consumer’s cash goes missing until a theft is reported and reimbursement carried out, which can take several days.

“You should always be watching your statements for unauthorized transactions but right now people should be extra vigilant,” says Steve Coggeshall chief technology officer at ID Analytics.

Retailers are also uniquely exposed. Some 46 states have now enacted data breach disclosure laws that require merchants and payment card issuing banks and credit unions to notify customers whose card numbers are stolen.

Many of these data loss disclosure laws impose stiff fines if notifications are not done in a timely manner, says Ted Julian, of Co3, a Cambridge, Mass.-based start-up that helps retailers manage the repercussions of credit card theft.

States could pursue a windfall in fines levied against merchants and card-issuing banks and credit unions who are slow to notify consumers that their credit or debit card number is in criminals’ hands. “Merchants are definitely on the hook for these state disclosures, because they are the ones who have the consumer relationship,” Julian says.