Global Payments Breach 'Manageable'CEO: Processor Hack Impacts 1.5MM Cards; No Fraud Reported
Executives at Global Payments Inc. say they're still uncovering details about the newly reported data breach of some of its North American processing servers - a breach now estimated to have exposed an estimated 1.5 million payment cards.
During an early-morning conference call on April 2, Chairman and CEO Paul R. Garcia repeated the main message of an April 1 statement: Global Payments is confident no personally identifiable information about consumer cardholders was exposed during the payments processor breach.
"We are making significant progress in defining and rectifying the event," Garcia said, opening a 30-minute discussion of the breach, which was first reported on March 30. "The company believes that fewer than 1.5 million card numbers may have been stolen, and that the theft is confined to our North American processing system."
"This is manageable," Garcia said in response to a question about the breach impact. "We will get through this."
Garcia would not go into details of the breach, which is under investigation by law enforcement officials, but he did say initial forensics reveal that Track 2 card data may have been stolen. Cardholder names, addresses and Social Security numbers were not believed to have been obtained.
The CEO also confirmed reports that Visa has removed Global Payments from its list of processors compliant with the Payment Card Industry Data Security Standard. And in response to a question about MasterCard, Garcia said, "It wouldn't be unexpected to have MasterCard take a similar action."
Among the other points Garcia emphasized:
- Global Payments - not a third-party - discovered the breach. "It was self-discovered and self-reported," Garcia says. "We found this, and we reported it within hours."
- To date, no fraudulent transactions have been tied back to any of the data stolen;
- Global Payments says it has not suffered any prior breaches, despite some industry claims that a breach or breaches have occurred in the past. One questioner asked: "This is the first incident?" Garcia responded: "We hope it's the last."
And though some industry sources have speculated the breach affected more commercial and business account cardholders than consumers, Garcia would not provide a breakdown. He would only go so far as to say that all major card brands regularly used by consumers were considered affected. To that end, later today, Global Payments is expected to launch a new website dedicated to consumer updates about the breach. The site's URL is www.2012infosecurityupdate.com.
'This Will Make Us Better'
Global Payments uncovered the breach three weeks ago after fraud detection systems discovered that servers linked to the company's North American card business had been accessed. Garcia said the company immediately notified law enforcement and the major card networks of the breach, and it had been working with investigators since that time to narrow down the extent of the compromise.
"We found this, so the detection software we had in place worked," Garcia said. "We are focusing on where that happened, and we are not going to share any specific details, beyond to say it's confined to North America and this is an ongoing federal investigation."
While he did not offer details about the security weakness that allowed the breach, Garcia did say the incident would improve security. "This will make us better - this will make PCI better," he said.
Based in Atlanta, Global Payments processes billions of payment card, check and e-commerce transactions annually for more than 1 million global merchant locations worldwide. The company employs 4,000, and Garcia says 100 of them are focused on investigating and remediating this breach.