Merchant info possibly compromised in breach

In an update describing the investigation of a data breach discovered by Global Payments Inc. in March 2012, Paul Garcia, the company's Chairman and Chief Executive Officer, said the leading acquirer discovered hackers may have accessed personal information belonging to merchant applicants.

The vulnerable information – which the company has not confirmed was accessed – contains names, addresses, Social Security numbers, drivers license numbers and bank account numbers from merchant applications.

Merchant data in question

Garcia revealed the potential vulnerability in a conference call held June 12, 2012, to provide an update on the company's continuing investigation of the breach. He stressed during the call that "it is unclear whether the intruders looked at or took any personal information from the company's computer," but when forensic analysis revealed the data vulnerability, Global Payments decided to reveal the possible compromise.

Garcia stated he doesn't believe the thieves even looked at the file containing the sensitive information "much less took any data," but the company decided best practices compel it to contact anyone potentially impacted by a breach of the merchant accounts. "We are going to properly address the situation and try to do the right thing for all the companies involved," he said.

"We sincerely apologize for this incident and are working diligently to conclude our investigation," Garcia said. "We are committed to fully resolve any issues arising from this matter." The company is offering at-risk merchants credit monitoring and $1 million in identity protection insurance at no cost.

Breach consequences and mitigation

Global Payments anticipates it will have additional costs to bear as a result of the breach, but those costs "are manageable," Garcia said. He stated the expense will not interfere with the company's growth and that the breach's financial impact will be discussed further in the next update call scheduled for July 26, 2012.

Garcia said Global Payments can confirm that only track 2 card data (consisting of primary account number, expiration date and service code) was stolen from fewer than 1.5 million accounts. The CEO also noted the breach did not involve its customers at the POS level, so merchants do not have to make any POS changes to process secure transactions through Global Payments.

Garcia reported that the company hired a qualified security assessor to do an independent review of the company's Payment Card Industry (PCI) Data Security Standard (DSS) compliance. Garcia promised that when the review is complete, and remediation is concluded, Global Payments will work with the card networks to get the company back on the networks' list of PCI DSS-compliant service providers.

"Our confidence level is growing every day," he said. "We feel like we are getting to the end of this."

Global Payments is posting investigation updates at www.2012infosecurityupdate.com .

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.