Monday, April 2, 2012

Global Payments Breach


Welcome InfoSec Daily Podcast listeners! I'm going to address a few items related to this story that were discussed on last night's show.
  • To the best of my knowledge, participation in VISA's Service Provider Registry is required for all service providers potentially storing VISA cardholder data. Based on my experience, this is primarily a way to track service providers and a marketing tool. Even though Global has been booted off the list, they can still continue to do business, process VISA cards, and sign up new merchants. If anyone has more direct experience or corrections, please comment below.
  • PCI is applied different to service providers like processors. However, it is in the opposite direction from what you were thinking. Service providers actually have more requirements to comply with than a merchant would. They do the full PCI DSS plus a few additional requirements that apply only to service providers. They also have to perform level 1 compliance (full Report on Compliance annually, third party annual audit required) with much fewer annual transactions than a merchant would. I think where this misunderstanding came from is the fact that, traditionally, issuers haven't needed to be PCI compliant. That's changed in recent years.
  • YES, the requirement not to store track data applies equally to processors as it does to merchants. Issuers (financial institutions that actually brand and send out credit cards) are the only ones with a good chance of getting an exception for storing track data, as they are the original source for producing/creating that data.

Here's the original post:

It isn’t so much the size of this breach that is significant, but the fact that one of the largest global payment processors got popped. Visa has allowed them to continue processing credit cards, but dropped them off their service provider registry (which is a BIG deal). The breach only affects North American merchants and cardholders. To give you an idea of how bad a breach at a large credit card processor can be, if a month’s worth of the transactions they handle were exposed, it is entirely possible that over 90% of all cardholders in the US would need new credit/debit cards.

This doesn’t happen often. I only know of two other cases where a processor was hit by a breach. CardSystems Services, as a business, was literally destroyed by their breach. VISA and AMEX revoked processing rights, forcing CardSystems to have to shut down operations and sell off assets almost overnight. Heartland Payment Systems is the most recent case, and the second largest breach ever at 130 million. They were also stripped from the registry, but managed to recover, regain PCI compliance, and get back onto the registry within a year.

Global Payments had a public conference call at 8AM this morning that I didn’t have time to listen to, but has resulted in an explosion of news stories on the breach.

The worst thing I've been able to determine from the details so far, is that it seems Global Payments was storing Track Data. The PCI DSS explicitly forbids storing track data (requirement 3.2.1), and PCI considers the storage of sensitive data to be one of the most serious PCI violations. CardSystems was effectively shut down for a lesser violation, though their breach was much larger.

It will be interesting to see if any of the details of the breach are released. These details are essential for the rest of the industry to learn from Global's mistakes. I'd like to see:
  • The attack vectors used, and the level of sophistication necessary to breach Global.
  • How long the attackers had access to systems
  • If track data really was stored, and what Global's excuse for such a violation is
  • Why the breach was limited to only 1.5 million accounts in North America. A large processor like Global might process 1.5 million transactions in just a few days. Why weren't more accounts stolen? Why only North America? Perhaps some effective segmentation was in place? That would be good news the PCI Council would be happy to point out.
  • And of course, we'll hopefully eventually find out who the perps were, and their level of hacking expertise

Time will tell.


  1. From the articles that I have read I'm not sure that they were storing track data or not. It's entirely possible that the track data was captured in transit. According to their website they process 5 billion transactions per year, so 1.5 million credit cards would be seen in less than 1 day.

    Also they mentioned that "This incident does not involve our merchants or their relationships with their customers." I take that to mean that their merchant credit card processing was not compromised at all. Maybe they are also an issuer or provide services to issuers and that was what was compromised. It's also possible that they provide services to other processors and that was what was compromised. In either of those scenarios, their direct merchants would not be affected.

  2. There are really too many questions floating around to come to any solid conclusions. It is frustrating to have so little detail or insight into the event. Many of the statements are seemingly contradictory or don't make sense in the context of payment processing.

    As I said, only time will tell.

  3. This comment has been removed by a blog administrator.

  4. This comment has been removed by a blog administrator.