I'm reading about Global Payments' explanation of this massive data breach we've all been reporting on, and I'm not nearly satisfied with their story. As someone whose credit cards may have been compromised, I have some pointed questions.
John Ribeiro of the IDG News Service, which serves CSO and other IDG publications, wrote about Global Payments' explanation this morning:
"The Atlanta company said Sunday it believes that the affected portion of its processing system is confined to North America, and that Track 2 card data may have been stolen. The American Bankers Association developed the format for track 2 data on a magnetic card, which usually contains account number, expiration date of card, and sometimes discretionary data. Cardholder names, addresses and social security numbers were not obtained by the hackers, Global Payments said. "Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained," it added. The company said it was open for business and continues to process transactions for all of the card brands."
Fortunately, the credit card companies don't seem to be taking this breach lying down. According to Ribeiro's story, Visa has removed Global Payments from its list of "compliant service providers," He writes:
"A Visa spokesman said on Monday that based on Global Payments' reported unauthorized access, Visa removed the company from its registry of PCI DSS (Payment Card Industry Data Security Standard) validated service providers. As is its normal process, Visa has asked Global Payments to revalidate its PCI DSS compliance, he added. Global Payments did not immediately respond to a request for comment on Visa's action."
I want to know:
How on Earth were they designated PCI compliant in the first place? What were the specific actions they took to improve security and how did they allow those safeguards to fail? How rigorous was the auditing process? Did the QSAs put the processor through the wringer, or did they just casually saunter in, check off some boxes and move on to the next customer? Had Brian Krebs not broken the story Friday about MasterCard and Visa warning banks about the breach, how much longer would we have waited to hear from Global Payments? I suspect the processor would have taken its sweet time, putting us cardholders at risk.
Whatever Global Payments says next, I hope it doesn't blame everything on the QSAs. That's a cop-out and denial of personal responsibility. Besides, Heartland Payment Systems Inc. CEO Robert Carr did that, tried that -- using words like "betrayed" and "let down" -- and that blew up in his face.