Late Friday, credit card processing vendor Global Payments Inc. admitted the company had been the victim of a massive data breach. Monday morning, the company’s CEO got on the phone with press and analysts to share information about what happened. Many details of the breach are still murky, but the episode underscores the ongoing threat that cybercriminals pose to organizations that transact financial data.
“There is a lot of rumor and innuendo out there and most of it is incredibly inaccurate,” Global Payments CEO Paul Garcia said on Monday’s conference call. “The company believes that fewer than 1.5 million card numbers may have been stolen and that the theft is confined to our North American processing system.”
There had been some speculation that the breach was significantly larger. Garcia said that the breach affected only “a handful of servers” and stressed that the company does not believe that cardholder names, addresses, social security numbers, or consumer banking information were obtained by the criminals. He also noted that the company is not aware of any fraudulent transactions resulting from the breach.
“Neither merchant systems, nor point-of-sale devices were involved in any way,” Garcia said. “It is also important to emphasize that consumers are completely protected if any exposure were to arise. The card-issuing institutions have well-established and highly effective procedures to protect their customers.”
According to Garcia, Global Payments had internal security measures in place that identified the breach.
“I can tell you this, approximately three weeks ago we identified that cardholder data may have been taken,” Garcia said. “Literally within hours we contacted federal law enforcement and the card associations.”
Garcia noted that the investigation is still continuing, and that there are parts of the breach incident that the company is still working to resolve. That said, he stressed that the situation is contained to the best of the company’s ability and opinion. He also noted that this was the first such breach at the company.
“We have not experienced anything like this before,” Garcia said. “There was a rumor that we were aware of a data intrusion a year ago, but that didn’t happen, this is the first incident and we hope this is the last. If there were another incident we would have reported it.”
The company is now reviewing the details of the breach with multiple forensic experts, Garcia said: “We are going through every single aspect, every single server, every single piece of data, to make certain that we didn’t miss anything.”
The Global Payments system had previously been certified as PCI-DSS compliant. As a result of the data breach, Visa has now removed the Record of Compliance (RoC) for the company. However, Global Payments is continuing to process payments — and Garcia stressed that his organization is working around the clock to get their RoC certification back.
PCI-DSS: A Minimum Standard
The PCI-DSS standard is an important stamp of data security compliance — but organizations shouldn’t stop there, many experts say.
“PCI-DSS is a standard that helps organizations develop a good security baseline for protecting cardholder data,” Chris Porter, a co-author of the Verizon Data Breach Incident Report, told eSecurity Planet. “However, Verizon does not comment on specific breaches and judging whether or not PCI-DSS would make a difference would be pure speculation.”
Porter noted that cardholder data continues to be an important target of organized crime, as evidenced in Verizon’s Data Breach Investigations (DBIR) reports. The 2012 DBIR was released at the end of March this year, and one of the key findings was that 92 percent of incidents were discovered by a third party. In contrast, Global Payments’ Garcia stressed that his company found and reported the incident on their own.
“This was self-discovered and self-reported,” Garcia said on Monday’s conference call. “We found this, and we reported it within hours.”
Marcus Carey, security researcher at security vendor Rapid7, told eSecurity Planet that the Global Payments breach highlights that PCI-DSS is really an absolute minimum bar when it comes to security posture, and that the certification does not guarantee that an organization is secure.
“We recommend that our customers and all organizations go well above the PCI-DSS security requirements,” Carey said. “Since attacks like this will not stop, organizations really do need to invest in vulnerability management and incident response to limit their attack surfaces and quickly identify breaches once they occur.”
From Global Payments’ perspective, the security breach could actually end up having a positive impact on the PCI-DSS standard, as information learned from the incident could help to improve future versions of the standard.
“This will help PCI be better and this will help everyone be more secure since we’re all in this together,” Garcia said. “These are thieves, these are bad guys that are working day and night to hurt us and all of us together have to do our best to thwart them and that’s what we’re working on.”
Editor’s Note: Global Payments Inc. has set up a website for consumers and merchants to access up-to-date information about the breach at www.2012infosecurityupdate.com.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com, the news service of the IT Business Edge Network. Follow Sean on Twitter: @TechJournalist. Additional reporting by Lars Kongshem. Creative Commons image courtesy of Andrew Magill.