Global Payments Responds to News of Breach: ‘We Jumped on This Instantly’
April 2, 2012
Late Friday, Global Payments Inc. issued a statement confirming it had experienced an unauthorized breach of the security protecting its processing systems. Unnamed sources identified Global Payments earlier in the day as the source of the breach. Several outlets speculated that up to 10 million records could have been stolen and that Track 1 and Track 2 data had been compromised (which would enable cards to be counterfeited).
According to Paul Garcia, CEO of Global Payments, however, the company believes the card numbers stolen total less than 1.5 million, that the breach is confined to the North American processing system and that only Track 2 data was compromised. Cardholder names, addresses and social security numbers were not obtained by criminals, Garcia said in a press conference held this morning in Atlanta. During the press conference, Garcia characterized the incident as “contained.”
Garcia emphasized that Global Payments itself found and reported the breach immediately. Visa, however, has responded by removing Global Payments from its list of PCI compliant processors. Garcia said Visa’s response is not unexpected but that the company was found compliant before the event.
“Prior to the breach, we received a report of compliance,” he said. “After the breach we were removed. It’s a little bit of a Catch-22. You’re compliant prior. If something happens, by definition you’re no longer so.”
Visa in January sold a portfolio of 9,000 U.S.-based e-commerce merchant clients it had inherited in its acquisition of CyberSource to Global Payments for $45 million. Garcia, however, said the breach was confined to Global Payments’ systems and did not affect either merchants or ISOs.
Asked when Global Payments might be reinstated to Visa’s list of compliant processors, Garcia cited the ongoing investigation and said he couldn’t specify a timeframe. He said he expects MasterCard to act similarly.
“You can be assured we’re working very collaboratively with the associations,” Garcia said. “They have to make certain that every single thing we say is fixed is fixed. That’s not [going to take] days. It’s longer than that, regrettably. We don’t think it’s months, but we have work to do here.”
While Global Payments maintains it is not aware of any fraudulent activity occurring on the compromised card accounts, several reports on Friday cited financial institutions that had seen some activity. Garcia, however, said that, and other conjecture about the timing and length of the breach, was not accurate to his knowledge.
“There is a lot of rumor and innuendo out there, which is not helpful to anyone, and most of it is incredibly inaccurate,” he said. “Approximately three weeks ago we identified that cardholder data may have been taken. Literally, within hours of that discovery we contacted federal law enforcement and the card associations. We jumped on this instantly.”
The company has established a Website that will be operational today for consumers who have questions about the breach at www.2012infosecurityupdate.com .