Saturday, February 28, 2009

Visa: New Payment Processor Breach Not New

The new processor breach that has had everyone speculating over the past 2 weeks... is "not new" according to Visa. 

Everyone else's (100,000,000 plus cards) card information has not been kept a secret, yet the "identity" of the processor who let the hacking world into theirs HAS been.   Visa has already publicly stated that  this "new" breach was "unrelated to the Heartland breach," so that leaves only one processor in the running.  RBS Worldpay.  Developing...

Here's the story from ComputerWorld.com

Visa: New payment-processor data breach not so new after all
February 27, 2009 (Computerworld) Days after Visa Inc. seemingly confirmed that a data breach had taken place at a third payment processor, following on the recent breach disclosures by Heartland Payment Systems Inc. and RBS WorldPay Inc., the credit card company is now saying that there was no new security incident after all.

In actuality, Visa said in a statement issued today, alerts that it recently sent to banks and credit unions warning them about a compromise at a payment processor were related to the ongoing investigation of a previously known breach. However, Visa still didn't disclose the identity of the breached company, nor did it say why it is continuing to keep the name under wraps.

Visa said that it had sent lists of credit and debit card numbers found to have been compromised to financial institutions "so they can take steps to protect consumers." The company added that it currently "is risk-scoring all transactions in real time, helping card issuers better distinguish fraudulent transactions from legitimate ones."

Visa's latest statement follows ones that both it and MasterCard International Inc. issued earlier this week in response to questions about breach notices that had been posted by several credit unions and banking associations. The notices made it clear that they weren't referring to the system intrusion disclosed by Heartland on Jan. 20 and suggested that a new breach had occurred.

Visa's initial statement and the one from MasterCard were both carefully worded; neither said specifically that the breach being referred to was a new one, but they also didn't say that it was a previously disclosed incident. Visa said it was "aware that a processor has experienced a compromise of payment card account information from its systems," while MasterCard said it had notified card issuers of a "potential security breach" affecting a payment processor in the U.S.

MasterCard officials didn't respond today to requests seeking clarification on whether its statement referred to a previous breach or a new one.

Benson Bolling, vice president of lending at the Alabama Credit Union in Tuscaloosa, said today that officials there had understood the breach to be a new one based on the alerts sent out by Visa — but couldn't say that for sure. According to Bolling, the credit union, which posted an advisory on Feb. 17 and updated it two days later, was informed by Visa of a "big breach" shortly after getting the word about the intrusion at Heartland.

The identifying number that was used in the so-called Compromised Account Management System alert issued by Visa appeared to suggest a new breach, because it was different from those used in previous CAMS notices, Bolling said. It was his understanding, he added, that CAMS alerts related to a previous breach would use the same identifier as the original notifications...

continue reading at ComputerWorld.com


Disqus for ePayment News