I’m reading about Global Payments’ explanation of this massive data breach we’ve all been reporting on, and I’m not nearly satisfied with their story. As someone whose credit cards may have been compromised, I have some pointed questions. John Ribeiro of the IDG News Service, which serves CSO and other IDG publications, wrote about Global Payments’ explanation this morning: “The Atlanta company said Sunday it believes that the affected portion of its processing system is confined to North America, and that Track 2 card data may have been stolen. The American Bankers Association developed the format for track 2 data on a magnetic card, which usually contains account number, expiration date of card, and sometimes discretionary data. Cardholder names, addresses and social security numbers were not obtained by the hackers, Global Payments said. “Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained,” it added. The company said it was open for business and continues to process transactions for all of the card brands.” Fortunately, the credit card companies don’t seem to be taking this breach lying down. According to Ribeiro’s story, Visa has removed Global Payments from its list of “compliant service providers,” He writes: “A Visa spokesman said on Monday that based on Global Payments’ reported unauthorized access, Visa removed the company from its registry of PCI DSS (Payment Card Industry Data Security Standard) validated service providers. As is its normal process, Visa has asked Global Payments to revalidate its PCI DSS compliance, he added. Global Payments did not immediately respond to a request for comment on Visa’s action.” I want to know: How on Earth were they designated PCI compliant in the first place? What were the specific actions they took to improve security and how did they allow those safeguards to fail? How rigorous was the auditing process? Did the QSAs put the processor through the wringer, or did they just casually saunter in, check off some boxes and move on to the next customer? Had Brian Krebs not broken the story Friday about MasterCard and Visa warning banks about the breach, how much longer would we have waited to hear from Global Payments? I suspect the processor would have taken its sweet time, putting us cardholders at risk. Whatever Global Payments says next, I hope it doesn’t blame everything on the QSAs. That’s a cop-out and denial of personal responsibility. Besides, Heartland Payment Systems Inc. CEO Robert Carr did that, tried that — using words like “betrayed” and “let down” — and that blew up in his face. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe