-
Visa has taken a rare step and dropped payments processor Global Payments from its list of approved service providers after the company reported that as many as 1.5 million credit card accounts may have been compromised by hackers.
April 2 -
Global Payments Inc. (GPN), the credit-card processor that reported a significant security breach Friday, said that hackers stole account numbers and other key information from up to 1.5 million accounts in North America.
April 1
Global Payments' response to the
Like other processors before it, Global Payments (GPN) was considered compliant with the Payment Card Industry data security standard until it discovered the breach last month. Now it's not.
The immediate consequence for Global Payments is its removal from Visa's (NYSE:V) list of compliant merchants. Global Payments said it expects to eventually cover the cost of reissued cards and may pay a fine or other charge to the card networks.
"Visa has removed us from the PCI compliance list … upon reflection, that was not unexpected," said Paul R. Garcia, Global Payments' chairman and chief executive, on a Monday morning conference call.
The PCI issue is something of a "Catch-22," Garcia said, in that an entity is assumed to be noncompliant if it reports a breach even if it has had no prior issues in demonstrating its compliance.
Otherwise, it's business as usual. Global Payments is still handling Visa transactions and has even signed up new customers since it reported the breach to the card networks, Garcia said.
"We're not precluded from signing up new merchants," he said. "We're literally signing them right now." (He did not say how many.)
The company said it expects a comparable response from the other card networks.
The pattern played out in 2009 with Heartland Payment Systems and RBS WorldPay (which is no longer a unit of Royal Bank of Scotland). These processors
"I think it's a convenient, but inaccurate, statement to say that a company is certified to be compliant one day and suddenly does something wrong that they're not compliant the next day," said Robert O. Carr, Heartland's chairman and CEO, in a 2009 interview after its breach.
Global Payments estimated that the breach it discovered last month exposed up to 1.5 million card accounts — a large number but far short of the estimated 10 million accounts that had been earlier reported in the media.
The Atlanta processor is confident in its estimate, though there is still an ongoing investigation by law enforcement and the card networks, Garcia said.
Global Payments emphasized that the issue was with its own technology, not that of a merchant or an independent sales organization. The incident affected a "handful of servers" in Global Payments' North American processing system, Garcia said.
The breach was discovered — but not prevented — by loss prevention software Global Payments uses, he said.
Global Payments reported the breach to the networks and to law enforcement authorities "within hours" of its discovery and has since "contained" the issue, Garcia said.