Last Friday Brian Krebs broke the story that MasterCard and Visa were warning of a major processor breach. Later in the day it was announced that the payment processor was Global Payment Inc. and that approximately 50,000 card numbers had been compromised, a number that was later revised to 1.5 million card numbers. Global Payment took such a pummeling in the stock market that they had to halt trading in the middle of the day on Friday, and appears to not have resumed trading as I’m writing this post. They have a press conference this morning, but the initial reporting shows that Global Payments isn’t saying anything that’s not already in a press release. And to add insult to the injury that Global Payments has had their listing as a compliant service provider yanked as of Friday, pending the security review of the compromise and a new assessment, a process that could take months.
The relationship between customer, merchant, banks, card processors and the card brands is complex and not at all clear to the average consumer. When a customer swipes their credit card or places an order online, the merchant passes that information on to their processor. The processor is a company, such as Global Payments, that has been designated by the merchant’s bank to process payments on their behalf. The processor sends the request to the card brands, who check the balance with the bank that issues the credit card and forward an approval or denial based on credit availability and fraud checks. That approval is forwarded back to the merchant and the customer and the whole process only takes 2-3 seconds on the average day. At the end of the day the merchant bundles the credit card requests and sends them to their bank, appropriately designated the merchant bank, who forwards the information through the card brands to the banks of the people who charged their cards that day. The relationship is complex and my explanation doesn’t cover the many variations that can crop up, but it covers the basic idea. For more information, there is a wiki page.
On of the most interesting aspects of this is that Visa has removed Global Payments from the list of compliant processors, a step that I don’t think has been taken for any breach since that of CardSystems in 2005. CardSystems was the first major breach of the credit card flow to catch the public attention and it was very clear that de-listing was done to buoy consumer confidence. But since then very few service providers of any stripe have had their listing pulled, which indicates there may be more going on behind the scenes than is being reported publicly. Global Payments’ relative silence and the updates to the number of records compromised add to this impression. Of course, no one expects any company to come clean immediately when faced with a compromise, but the degree to which this incident is causing lips to be sealed is interesting by itself. Will Global Payments have to go through a similar process as CardSystems, basically selling themselves to prevent total collapse?
We’ve gotten to the point where we almost expect daily or weekly notifications from merchants stating they’ve been compromised. But where merchants are not in the business of securely taking in credit card numbers, that’s exactly what processors and banks are supposed to be focusing on. A merchant makes their money by selling products to consumers whereas a payment processor is selling the security of the transaction and any breach of that trust is a major issue. The processors are also aggregation points for multiple merchants and many processors have millions of card transactions flowing through their systems on a daily basis. As such, they know, beyond a shadow of a doubt, that they are being targeted by attackers and that their security is paramount to continuing to be in business.
I strongly suspect that what’s been disclosed so far is simply the tip of the iceberg. If Global Payments was compromised for a month and a half, as currently stated, then a much higher number of card numbers than 1.5 million were most likely processed during that time. Which means the compromise was either contained in some way with or without the awareness of Global Payments, or there is another shoe waiting to drop. My money is on the latter.
Update: I forgot to add that there was a brief outage of the Visa network on Saturday morning when they updated systems inside VisaNet. Yeah, that can’t be at all related to the Global Payments breach, could it.