The rumour-mill has been running all week
regarding a security breach suffered by Global Payments in the
US.  Confirmed details of the problem are few – and
assumptions are many.

In a conference call for investors, the
company’s CEO Paul Garcia did not spend much time elaborating on
the cause of the problem, but did make efforts to definite its
scope. He was careful to say that the exposure was limited to Track
2 data for 1.5 million cardholders in North America.

Go deeper with GlobalData

Data Insights

The gold standard of business intelligence.

Find out more

Access deeper industry intelligence

Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.

Find out more

As far as identifying the hackers’ entry
point, Garcia confirmed that it did not occur at merchant or ISO
level.

“This does not involve our merchants, our
sales partners, or their relationships with their customers,” he
told investors. “Neither merchant systems, or point of sale
devices, were involved in any way.”

 

PCI problems

GlobalData Strategic Intelligence

US Tariffs are shifting - will you react or anticipate?

Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.

By GlobalData

Following the breach, Visa announced that it
had taken Global Payments off its register of service providers
that meet PCI Data Security Standards.  

Garcia confirmed that Global Payments was
continuing to process Visa transactions. According to PCI DSS
expert and QSA Colin Dixon of consultancy Ascentor, the company is
able to do so thanks to its position in the chain.

“It boils down to contract law,” he said.
“Essentially, PCI DSS compliance is a condition of the contracts
that are in place between the card networks and the acquirer. It is
also a condition of the contracts between the acquirer and the
merchant. However, as a third-party processor, Global Payments is
under no such contractual obligation to Visa.”

Despite falling conveniently between two
stools, Garcia did emphasise, very strongly, that the company was
taking the PCI DSS revalidation process seriously.

He told investors that the team was working
around the clock to regain compliance to the standards.

The closest the CEO came to tackling this
question of “why?” was to refer to the reputational impact of
Visa’s decision.

“It could give our partners some pause, that
they are doing business with a company that has experienced a
breach,” he said, suggesting it could take some weeks for the
company’s status to be reinstated.

The process will not be a straight-forward. A
leading expert on merchant acquiring, told us: “This is far from a
straight-forward box-ticking exercise. The company could expect to
be scrutinised quite thoroughly.

“A once-compliant processor losing its status
in this fashion is unprecedented.”

 

The cause of the problem

In the investor call, Garcia isolated the
problem to “a handful of servers”, but was unable to elaborate on
the investigation currently underway.

Ascentor’s Dixon says it can be narrowed down
to a very small number of possibilities.

“It is most likely to have been a compromise
of an external-facing server by a hacker who found a
vulnerability.

“The company has said that security codes were
compromised during the breach. There are only two possible ways
that could have happened,” explained Dixon. “Either Global Payments
has been storing security codes on its servers – which is illegal,
and highly improbable – or the hacker set a trojan to work,
monitoring the transactions running through the systems.

“This is by far the most likely scenario.”

PCI DSS compliance issues aside, Global
Payments may also find itself having to answer questions regarding
its vendor relationships. “There could due diligence issues with
Global Payments’ vendors,” one expert told Cards International.
“This may ring alarm bells for other processors in similar
positions.”

Whether or not a software vendor was at fault,
the security breach is, says Dixon, a clear indication that Global
Payments did not maintain continuous compliance.

“The company was compliant at one stage, but
it is very unlikely that they were meeting those standards on the
day the servers were hacked,” he said.

“Something must have changed. They almost
certainly did not maintain compliance. “In layman’s terms, someone
must have screwed up. If Global Payments was monitoring its audit
trails according to PCI DSS standards, the hackers would never have
breached its servers.”