Tuesday, February 24, 2009

Visa Confirms Another Payment Processor Breach

Another Month...Another Data Breach. 

Visa confirmed today that
rampant rumors of yet another major payment processor breach are, in fact, true.  That marks the third straight month with a "massive" data breach.

The article states that the "victim" (interesting choice of words) appears to be a provider that processes online transactions. 

I say it's high time for the more secure E2EE online debit to make a marquee appearance on the web.  After all, this is getting crazy...and it's just the beginning.  Malicious code today, SSL or DNS attack tomorrow.

In a new report that came out yesterday from BAI and Hitachi Consulting, (see Debit is King, Cash Overthrone") it was revealed that Debit now makes up 37% of all payments.  Cash is second at 29%.  PIN is preferred 45% to 35%.  So, think about it.   Debit is #1, Cash is #2, and PIN Debit is the same as a real-time cash payment...and it provides end to end encryption.  And it's known as online debit.  So when is a major player, oh, let's say V or MC going to realize that it's time to back online debit for online shopping?  These breaches may force their hand sooner vs. later.

In all three breaches, RBS
Worldpay, Heartland  Payments and the latest mystery processor, PIN's were NOT compromised.  In fact, you never read about PIN's being compromised.  (Yes, there was one isolated incident last July with Citibank ATM's, but they were using a Windows based application and left their data in the clear.  That is not the way PINs are usually handled and they've corrected  the situation.

We said back in December that 2009 will be the "Year of the Hack."  We also  said a key buzzword for 2009 will be end to end encryption.  Until yesterday's confirmation, there had only been "rumors" of a third payment processor hack.
Information Security Resources first ran a story about it on February 14tha and the PIN Payments Blog shared their story on the 15th. See "Another Payment Processor Hacked - February 15th - PIN Payments Blog.)

Well according to yesterday's SC Magazine, Visa has confirmed the rumors as fact.    3 in 3.  Until there's across the board E2EE encryption, which HomeATM has done since January 2007...yes two full years ago expect to see these breaches crop up.

So who's going to be hit the hardest?  It looks like e-commerce merchants, because the data stolen, (Personal Account Numbers and Expiration Dates), cannot be used to clone cards but can be used for Card Not Present transactions.  The biggest risk from these kind of breaches are chargebacks.  I would humbly remind everyone that PIN Debit virtually eliminates chargebacks. 

Here's SC magazine's story:

Another payment processor has fallen victim to hackers, Visa confirmed on Monday.

Visa and MasterCard are notifying banks about accounts impacted by a "major compromise," unrelated to the massive Heartland Payment Systems incident announced last month, according to a number of credit unions and banking associations.

The hackers apparently breached the processor in the same way they infiltrated Heartland -- by placing malicious software on the network, according to an alert from the Pennsylvania Credit Union Association.

Visa hosted a conference call on Feb. 12 to notify member banks about the breach, which affected transactions made from February to August 2008, the association said. The incident involves account numbers and expiration dates, but no track data was compromised;  therefore the attackers would be unable to make counterfeit cards.

The size of the breach appears significant
but fewer cards were affected than in the Heartland case, the Community Bankers Association of Illinois said in its own announcement. (Editor's Note:  Well, I would hope  so...) That breach potentially exposed as many as 100 million accounts.

The victim in this case appears to be a provider that processes online transactions, said David Shettler, vice president and CTO of Open Security Foundation, a nonprofit that researches data breaches.  Editor's Note:  See ProPay Denies Breach - January 30th - PIN Payments Blog.

He told SCMagazineUS.com on Monday that the group has been receiving tips about the breach since Feb. 12, but few details have been confirmed.

"What concerns me is that Visa and MasterCard, they clearly know who it is," Shettler said. "That just won't say anything because the processor hasn't come clean. The of sort feel it gives people is that Visa and MasterCard are covering for some unnamed organization."

Visa and MasterCard began notifying card issuers about affected accounts on Feb. 9 and 13, respectively. It is unclear whether this processor was compliant with payment industry guidelines, the association said. Heartland was deemed Payment Card Industry Data Security Standard-certified (PCI DSS) when it announced its breach.

This marks the third data-loss incident to impact payment processors in the past three months. In December, RBS WorldPay disclosed a breach that affected some 1.5 million card users. Shettler said cybercriminals are zoning in on these entities because they deal with the most amount of information.

"You can crack into merchants, but that's a limited scope," he said. "If I were the payment card industry, namely Visa and MasterCard, I'd be concerned."  Visa said it was working with business and financial institutions to improve security measures.  (Editor's Note:  We'll that's interesting.  For the record, we'd be happy to work with Visa or MasterCard..

"It's essential that every business that handles payment card information adhere to the highest data protection standards to protect the security and privacy of their customers' financial information," Visa said in a statement. Well that certainly sounds like a ringing endorsement for a web-based PIN debit application to me!)

A representative from MasterCard could not be reached for comment.





Reblog this post [with Zemanta]

Disqus for ePayment News