Credit Card Breach Smaller Than Expected, Visa Still Drops Service Provider
April 2, 2012

Credit Card Breach Smaller Than Expected, Visa Still Drops Service Provider

Following a self-reported security breach on Friday that left personal information for tens of thousands of credit card holders vulnerable, Global Payments Inc. provided analysts with an update on the details of the hacker attack in a conference call Monday morning.

In an attempt to offset the negative impact of the news on its market shares, the provider of electronic transaction processing services also used the opportunity to report its last-quarter earnings two days early, showcasing a 17 percent growth in revenue for the quarter that ended on February 29 and year-over-year per share growth of 24 percent compared to 2011.

Yet despite the insistence from the company´s CEO Paul R. Garcia that the cyber security breach was “absolutely contained” and that no “fraudulent transactions” had resulted, the news was not enough to assuage the concerns of one of the company´s largest customers Visa Inc.

Garcia confirmed rumors that the multinational credit and debit card giant had removed his company from its compliance list and that it would no longer be using the company´s services to process its electronic transactions.

Pointing out that being bumped from the compliance list was only a temporary measure, however, Garcia stated that Global Payments was working “as expeditiously as possible” to get its name off of Visa´s naughty list.

Garcia assured Wall Street analysts that his firm would return to the list as soon as the security issue was resolved and it obtained a new certificate of compliance from Visa — a process that will take “not days, but we (also) don´t think “¦ months,” he added.

While the precise details surrounding the security breach are still under investigation, Garcia noted that Global Payments continues to run transactions for Visa.

The company announced on Sunday that the data breach potentially affected no more than 1.5 million cardholders from various credit card issuers in North America — dramatically fewer than initial reports which projected as many as 10 million compromised accounts.

Global Payments also assured customers and investors that all potentially stolen data was anonymous and that the names, addresses and Social Security numbers of card holders were not compromised.

According to the company, it will have a website online by later today to assist card holders in determining whether their accounts were affected by the breach.


In an interview with Forbes, information security guru and director of the data protection company Credant Technologies Geoff Webb, noted that the security breach was “obviously “¦ smaller than people thought, which is good news.”

Moreover, after sitting in on the conference call as an advisor, he noted being impressed with the “relatively short window during which they were breached.” According to Webb, Global Payments´ security breach appears to have lasted only a month or two, noting by comparison that such breaches commonly last a year or more before they´re detected and fixed.

This relatively short period of exposure and the subsequent haste with which the company located and started fixing the security gap, he says, actually commend its level of security.

“That speaks to fact that Global Payments was on the ball,” Webb said.

Yet hardly in a position to start patting his company on the back, Garcia recognized that the incident “could give our partners some pause that they´re doing business with someone who experience a breach.”

He added that the company has called in federal investigators as well as third-party experts to assist in the investigation and help minimize the exposure of any affected cardholders.

Over the weekend, Global Payments´ initial internal investigation indicated that so-called Track 2 credit card information may have been affected. All consumer credit cards contain at least two tracks in the magnetic strip on the back of the card. With a higher bit density, only Track 1 actually carries personal information about the individual cardholder.

Because the investigation is still open and no charges have yet been issued, Garcia apologized that they could not yet be “terribly specific” in providing additional details about the security breach.

Both Visa and MasterCard have issued public statements highlighting that their own internal data systems were not affected.