The list of high-profile online security breaches expanded again last week.
Global Payments, (NYSE: GPN), an electronic transaction processing and payment service company employed by Visa USA , has been dropped from the credit company’s register for approved services. In other words, the company has been terminated until further notice.
Last week, Global Payments reported a breach of roughly 1.5 million Visa and MasterCard accounts in a non-public announcement to the credit companies.
More specifically, Global Payments said “Track 2” information was stolen. If compromised, Track 2 data allows the hacker to transfer card numbers, PIN information, and expiration dates onto the magnetic strip of a fraudulent card, which then can be used to make purchases.
In his initial statement, Global Payments CEO Paul Garcia
said: “It is reassuring that our security processes detected an intrusion.”
Despite Visa’s rapid decision to pull the plug on the third-party processor immediately, Global Payments took plenty of time to report the breach that occurred between January 21 and February 25.
That said, third-party processing is only part of an extremely complicated network involved in credit card processing, a network that exposes the consumer, merchant, and bank of issuance to hackers.
Here is a rundown of all the opportunities for a security breach that go into a single transaction:
- Step 1. The customer submits a credit card for payment.
- Step 2. The credit card company manages the complex routing of the data on behalf of the merchant.
- Step 3. The processor for the merchant’s bank submits the transaction to a credit card network like MasterCard or Visa.
- Step 4. The credit card network routes the transaction to the bank that issued the credit card to the customer.
- Step 5. The issuing bank approves or declines the card purchase.
- Step 6. The credit card network relays the transaction back to the merchant bank’s processor.
- Step 7. The credit card processing company stores the transaction results and sends them to a Website, where the customer and merchant can see that the sale or the purchase has been completed.
- Step 8. The issuing bank sends the appropriate funds for the transaction to the credit card network, which passes the funds on to the merchant bank.
This processing procession can be looked at two ways. First: “Wow, that seems like a whole lot of openings to create a breach for hackers.” Second: “Wow, it’s amazing there aren’t more security issues than already exist.” Either way, it appears the system is fraught with opportunity for fraudulent activity.
By the way, the same third-party processing leg of the credit card transaction was also responsible for the massive security breach that occurred in 2005, in which 40 million cards
were exposed by CardSystems Solutions.
A frightening reality is there are dozens of third-party processors, and according to the Nilson Report, Global Payments handled $120.6 billion in Visa and Mastercard transactions last year and ranks seventh among third-party vendors. A so-called “stress test” was administered to Global Payments last July and the firm passed.
Users aren’t happy. Following a CNET blog by Roger Chen, one commenter wrote: “The problem is complexity. These are enormous organizations with tens or even hundreds of thousands of people and thousands of systems and applications. The number of moving parts and the number of interactions is mind-boggling. It's almost inevitable that oversights will occur."
So what’s the solution -- more regulators, more stringent compliance, more frequent testing?
Or is less more? Fewer hands in the processing, fewer risky processors? Or perhaps less apathy by the merchants who should be required to ask the card user to give the CVV or 4-digit code on the back of the card… always!
Let’s not leave the consumer blameless. The FTC suggests some protective measures that can help guard consumers against some of the more common user indiscretions. Remember: Your card can be used online from activity you have provided on either the phone or in a traditional retail store.
The globalization of all markets through the Internet has serious repercussions that will continue for years to come. The vulnerability of the credit card industry is just one of them.
— Chris Poley has been a professional trader for more than 20 years.