Breached Processor Promotes PCIGlobal Payments Aids Merchants to Assess, Attain Compliance
Global Payments Inc., the breached payments processor, is still trying to re-establish its own compliance with the Payment Card Industry Data Security Standard. But at the same time, the company is taking proactive steps to promote payment card security to its own merchant customers.
In late March, Global Payments reported a North American server breach of an estimated 1.5 million debit and credit accounts. Shortly after that announcement, Visa removed Global from its registry of PCI-compliant service providers.
Since then, Global Payments has pledged to undergo an independent audit and seek re-instatement to Visa's registry.
Meanwhile, from a prominent link on the Global Payments homepage, the processor actively promotes PCI compliance for merchants who accept payment card transactions.
"All merchants must be compliant," the special PCI site announces to merchants. "The best way to obtain your compliance is to validate with a qualified secured assessor."
The PCI message is tailored to Level 4 merchants - those processing fewer than 20,000 transactions per year - and it urges them to work with a pair of recommended payment application security vendors to assess compliance.
"To demonstrate our level of commitment, Global Payments has engaged [SecurityMetrics and Trustwave] to help Level 4 merchants determine their risk and provide direction to solutions," the site says.
The site goes on to briefly explain PCI compliance, offers contact information for the two vendors, and explains their roles to:
- Evaluate the extent of a Level 4 merchant's PCI-DSS validation requirements;
- Assist merchants in obtaining full compliance, which will include the completion of a self-assessment questionnaire.
"They also have the ability to assist you in locating any stored unencrypted cardholder data that you may have in your system," Global says of its relationship with the two vendors.
The page also points merchants to other QSA options, available on the PCI Security Standards Council website, should they prefer not to use services provided by SecurityMetrics or Trustwave.
PCI security expert and Gartner research director Anton Chuvakin says it is common for processors such as Global to promote their PCI compliance programs to merchants - but there are business risks.
"Acquiring banks and MSPs/processors would motivate merchants to get compliant, partner with vendors to offer them tools, etc.," he says. "However, this is a complex game. If they push too hard, the merchants can migrate to a 'looser' processor."
Based in Atlanta, Global Payments processes billions of payment card, check and e-commerce transactions annually for more than 1 million global merchant locations worldwide.
Global's Own PCI Compliance
Global Payments has announced no new developments in its effort to be re-instated among Visa's approved service providers. But, without getting into specifics, Visa acknowledges that it is working closely with Global to help the processor get back into PCI compliance.
"Visa requires all service providers that store, process or transmit Visa account data to validate PCI-DSS compliance every 12 months," the card giant says in a statement to BankInfoSecurity. "Entities that validate their PCI-DSS compliance utilizing a qualified security assessor (QSA) are listed on Visa's Global Registry of Service Providers - PCI DSS Validated. ... Based on Global Payments reported unauthorized access, Visa removed the company from its registry of PCI-DSS validated service providers and has asked Global Payments to revalidate compliance using a qualified security assessor."
No News on Breach
No new developments about the breach have been revealed since April 1, when Global posted a press release detailing the incident, which had been widely reported over the previous two days.
During a subsequent April 2 conference call with analysts and news media, Global Payments CEO Paul R. Garcia said the company had uncovered the breach three weeks earlier, after fraud-detection systems discovered servers linked to its North American card business had been accessed. Garcia said the company immediately notified law enforcement and the major card networks, adding it had been working with investigators since that time to narrow down the extent of the compromise.
"We found this, so the detection software we had in place worked," Garcia said. "We are focusing on where that happened, and we are not going to share any specific details, beyond to say it's confined to North America and this is an ongoing federal investigation."
Also as announced on April 2, Global did establish a special security update page for consumers and merchants, but the last posted update is dated April 16.
Associate Editor Jeffrey Roman contributed to this story.