ATLANTA (4/3/12)--Atlanta-based Global Payments Inc. has been removed from Visa's "compliant service providers" list after revealing Friday that part of its third-party card processing system had been breached. However, Global says it has "contained" the breach to less than 1.5 million debit and credit cards.
"The company believes that the affected portion of its processing system is confined to North America and less than 1.5 million card numbers may have been exported," Global Payments said in a press release Sunday.
The investigation so far has revealed that Track 2 data may have been stolen. Track 1 and Track 2 data include names, card numbers and validation codes. Global said that cardholder names, addresses and Social Security numbers were not obtained by the criminals who hacked the system.
The breach has prompted a number of alerts from companies serving credit unions, as well as from credit unions themselves. CUNA Mutual Group issued a risk alert Friday with tips for its bond policyholders. (Use the link).
The Members Group (TMG), a Des Moines, Iowa-based card processing and payment solutions for credit unions, is warning credit unions to be on high alert for credit card fraud stemming from the breach. It is assisting its card-issuing credit union clients with implementing defensive strategies to minimize the impact of card fraud resulting from the breach.
"The best prevention strategies will be different for every issuer and will depend greatly on where and how the fraudulent activity occurs," said Karen Postma, cards risk senior manager at TMG. For some credit unions reissuing the card may be the best approach to minimizing losses. For others, tighter rule-setting and diligent monitoring will be sufficient, she said.
She explained that fraudsters typically test several different bank identification numbers (BINs) before settling on the one or two that are most profitable. The TMG fraud department is monitoring card activity closely to identify which BINs are most likely to be impacted.
Postma, who advised credit union card issuers through the 2008 Heartland Payments System data compromise, said it's too early to predict the fallout from this particular breach. "We plan to be in close communication with each of our card-issuing clients for the next several months as the investigation into the breach continues," she said.
"Credit unions should absolutely be proactive, however, monitoring their portfolios very closely to understand whether and to what extent they are being affected. If they determine they are being hit with high levels of fraudulent activity, more aggressive measures are likely necessary," Postma said.
Corinne Sherman, senior vice president, fee services for the Pennsylvania Credit Union Association advised credit unions to "pay close attention to information received from your card processor" (Life is a Highway April 2).
"This is very unfortunate and it could be very costly," said Sherman. "If a credit union has any concerns about cards at risk, it is best to err on the side of caution and reissue cards to protect members and its card program."
Credit unions are already reporting some fraudulent charges. For example, during the last six days of March, Hermiston, Ore., police said they had received at least six reports of fraudulent charges made on credit cards issued by America's Best Community FCU, a $5 million asset credit union based in Hermiston (OPB News March 31). Although the credit union's system wasn't compromised and members' accounts were safe, the nationwide implications of the Global Payments breach hit home for those members. One couple charged $60 during the weekend on their card to see it turned into a $480 charge for purchases from a store in Kenosha, Wis. Another member reported $561 in fraudulent charges
Global Payments was working with industry third parties, regulators and law enforcement agencies to minimize potential cardholder impact, it said, adding it "has engaged multiple information security and forensics firms to investigate and address this issue."
"We are making rapid progress toward bringing this issue to a close. Our nearly 4,000 employees around the world are focused on providing exceptional service. We are open for business and continue to process transactions for all of the card brands," said Chairman/CEO Paul R. Garcia.
According to The Wall Street Journal (March 30), the cards were exposed between Jan. 21 and Feb. 25. The total cost of the breach is still being tallied. The company set up a website for consumers seeking information (use the link).
Athough Visa has removed the company from its list of providers, Global continues to process Visa and other branch cards and expects to be reinstated once the compliance issues with card company standards are corrected.
Visa and MasterCard systems were not breached. Also, Global made it clear Friday that the breach was not related to merchant/customer relationships.