Visa confirms another payment processor breach

By Dan Kaplan

June 18, 2010 Updated Feb 24, 2009 at 12:31 PM EST

Another payment processor has fallen victim to hackers, Visa confirmed on Monday.

Visa and MasterCard are notifying banks about accounts impacted by a "major compromise," unrelated to the massive Heartland Payment Systems incident announced last month, according to a number of credit unions and banking associations.

The hackers apparently breached the processor in the same way they infiltrated Heartland -- by placing malicious software on the network, according to an alert from the Pennsylvania Credit Union Association.

Visa hosted a conference call on Feb. 12 to notify member banks about the breach, which affected transactions made from February to August 2008, the association said. The incident involves account numbers and expiration dates, but no track data was compromised; therefore the attackers would be unable to make counterfeit cards.

The size of the breach appears significant but fewer cards were affected than in the Heartland case, the Community Bankers Association of Illinois said in its own announcement. That breach potentially exposed as many as 100 million accounts.

The victim in this case appears to be a provider that processes online transactions, said David Shettler, vice president and CTO of Open Security Foundation, a nonprofit that researches data breaches.

He told SCMagazineUS.com on Monday that the group has been receiving tips about the breach since Feb. 12, but few details have been confirmed.

"What concerns me is that Visa and MasterCard, they clearly know who it is," Shettler said. "That just won't say anything because the processor hasn't come clean. The sort of feel it gives people is that Visa and MasterCard are covering for some unnamed organization."

Visa and MasterCard began notifying card issuers about affected accounts on Feb. 9 and 13, respectively.

It is unclear whether this processor was compliant with payment industry guidelines, the association said. Heartland was deemed Payment Card Industry Data Security Standard-certified (PCI DSS) when it announced its breach.

This marks the third data-loss incident to impact payment processors in the past three months. In December, RBS WorldPay disclosed a breach that affected some 1.5 million card users. Shettler said cybercriminals are zoning in on these entities because they deal with the most amount of information.

"You can crack into merchants, but that's a limited scope," he said. "If I were the payment card industry, namely Visa and MasterCard, I'd be concerned."

Visa said it was working with business and financial institutions to improve security measures.“Visa

Inc. is aware that a processor has experienced a compromise of payment card

account information from its systems," the company said in a statement on Monday. "It's essential that every business that handles payment card information adhere to the highest data protection standards to protect the security and privacy of their customers' financial information."

A representative from MasterCard could not be reached for comment.




What are your thoughts CLICK HERE to leave us a "QUESTION OF THE DAY” comment.

Want to be in the know for the next weather event, the next school closing or the next big breaking news story?

TextCaster alerts from 21Alive.com are your defining source for instant information delivered right to your cell phone and email. It's free, easy and instant. Sign-Up Now!

Powered by Summit City Chevrolet



© Copyright 2014, A Granite Broadcasting Station. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

To submit a comment on this article, your email address is required. We respect your privacy and your email will not be visible to others nor will it be added to any email lists.