Navigation
Global Payments hopes to soon regain PCI compliance after breach
Apr 03, 2012

Stephanie Wright, Contributor Published: 2 Apr 2012

Payment processing company Global Payments said today it is working to regain PCI compliance following a breach announced late last week. Visa removed Global Payments from its list of PCI compliant companies following the breach, in which it has been reported that 1.5 million records were lost. Visa said it will re-evaluate Global Payments after the conclusion of ongoing investigations and remediation measures, according to Paul Garcia, Global Payments chairman and CEO.

What we need to do is complete the investigation portion of this process, and then identify and perform any required remediations at that point, and we’ll do just that. That’s our plan.

David Mangum, senior executive vice president and CFO, Global Payments

“Upon reflection, this was not unexpected, and we are focused on the remediation measures necessary for full, timely PCI reinstatement,” Garcia said. “We clearly realize that is something we need to do as quickly as possible, and you can be assured we are working very collaboratively with the associations... But they have to make certain that every single thing that we say is fixed. … That’s not days—it’s longer than that, regrettably. We don’t think it’s months, but we have work to do here.”

CFO David Mangum agreed that it is premature to be estimating an exact time frame.

“What we need to do is complete the investigation portion of this process, and then identify and perform any required remediation at that point, and we’ll do just that. That’s our plan,” Mangum said.

Meanwhile, Gartner analyst Avivah Litan wrote in a blog post today that the details Global Payments reported were not the same as the details reported by Visa. Litan wrote:

“Information presented on the timing windows were different and not reconciled during the Global Payments call (Visa reported the exposure window was January 21, 2012 – February 25, 2012, and Global Payments reported they self-detected the breach early March), the data that may have been stolen was different (Visa reported Track 1 and 2; Global Payment reported only Track 2), and the reports on fraud (Global Payments said they had not heard about fraud on the stolen cards) are different.”

The breach, which Global Payments now believes included the payment card numbers of approximately 1.5 million individuals but not their names, addresses, Social Security numbers or other personal information, was self-reported after discovery through existing security measures, Garcia said.

“Just detecting it early is a good thing, but it doesn’t necessarily forgive us from trying to stop it altogether. So we are focused on that aspect of it,” he said. “Are we going to spend even more money (quite frankly) on security? The answer is yes.”

The Global Payments management did not specifically identify steps that would be taken to enhance security following the necessary investigation and compliance remediation measures. They did emphasize that the incident occurred within a subset of their North American processing system rather than through a merchant or point-of-sale system, and that they are not concerned about their relationships with partners and consumers. They are also processing all payment transactions as usual, including Visa transactions.

“I think our merchants and our customers understand that this will make us even stronger,” Garcia said. “This will make us all better… We’re all in this together.”

PREVIOUS POSTS
Oct 11.11 | Businesses failing to comply with PCI DSS security standards: Verizon and Banktech India News Network, 9/29/2011 10:55:29 AM

Too many businesses are struggling to comply with payment card security standards, putting consumers’ confidential information at risk, according to a report by IT services and solutions provider Verizon. Te report for a second year in a row found compliance lacking on the payment card security front. read more

May 03.11 | Sony data breach update reveals 'bad practices' By Emily Chung, CBC News

The data breach affecting Sony Online Entertainment's 24.6 million accounts is linked to a previously announced cyberattack on Sony's PlayStation Network and Qriocity entertainment service, which affected the personal information of more than 77 million users. Thomas Peter/Reuters read more

Mar 11.11 | Assume you’re always under attack’: experts By: Liam Lahey On: 11 Mar 2011 For: ComputerWorld Canada

Enterprises must make a conscious decision about what information we’re prepared to lose, said an exec with security vendor Symantec. Why companies are missing the mark with security risk management read more

Oct 26.10 | ‘Spear-Phishing’ Attacks Keep on Giving by Kim Zetter, wired.com

‘Spear-Phishing’ Attacks Keep on Giving

* By Kim Zetter read more

Sep 16.09 | Web server attacks, poor app patching make for nasty mix Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats By Gregg Keizer September 15, 2009 03:44 PM ET

Web server attacks, poor app patching make for nasty mix
Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats
By Gregg Keizer
September 15, 2009 03:44 PM ET read more

Jul 02.09 | Heartland breach cost $12.6 million, CEO says

By Robert Westervelt, News Editor 07 May 2009 | SearchFinancialSecurity.com

Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems. read more

Apr 20.09 | RBS, Heartland no longer PCI compliant

RBS, Heartland no longer PCI compliant

By Dan Goodin in San Francisco • Posted in Security, 13th March 2009 21:40 GMT

Visa on Friday alerted the world that RBS WorldPay and Heartland Payment Systems are not on its list of payment card processors who are in good standing with industry-mandated standards for data security.

The move follows announcements by both companies that they experienced data breaches that exposed details for a large number of credit cards to criminal hackers. RBS said the security lapse exposed 1.5 million cards. Heartland has yet to say how many cards were affected.
read more

Sep 30.08 | FAQ: Clickjacking -- should you be worried? Nearly all browsers are vulnerable to this new attack class, but details are scarce!

read more

Jul 25.08 | Credit-card fraud probe targets Pearson's self-service kiosks

An investigation of suspected credit-card fraud at Toronto's Pearson airport is now concentrating on the security of its 150 self-service check-in kiosks. read more

ARCHIVE