Posted by: Ben Cole
Global Payments, PCI compliance requirements
Until recently, you may have not heard of Atlanta-based credit card payment processing server Global Payments Inc. On the other hand, it’s likely that you’re very familiar with two of the company’s main clients: Visa and MasterCard. But Global Payments was made instantly more recognizable when it announced last week that up to 1.5 million of its Visa and MasterCard accounts were potentially breached.
The data breach was confined to North America, according to a Global Payments statement. Track 2 card data may have been stolen, but cardholder names, addresses and Social Security numbers were not obtained during the breach, the statement said.
MasterCard and Visa made it very clear that their own systems were not compromised. This information, however, did not stop Visa from making a somewhat symbolic move surrounding its PCI compliance requirements for processors: After the breach, Visa announced it had removed Global Payments from a list of “compliant service providers.”
Global Payments has promised to recommit to PCI and other compliance standards in light of the breach. It is also working with “multiple information security firms and forensics firms to investigate and address” the issue.
But did Global Payments — or any other credit card payment processors — ever really commit to PCI compliance requirements in the first place?
In an interesting report following the Global Payments incident, a New York Times article stated that while financial service companies such as Visa and MasterCard have increased security in recent years, their payment processors have become more vulnerable. These payment processers are not held to the same compliance and security standards as the banks and retailers they serve … and hackers are starting notice.
Up until this week’s news of the Global Payments breach, perhaps processors thought they could slide under the radar. But now that Visa and MasterCard customers — as well as anyone else who reads the news — know exactly who they are, will they be held accountable for PCI and other compliance mandates? We’ll find out in the coming months if other payment processors are hacked. If it becomes a trend, these processors will likely be on notice to improve security and compliance processes before they’re in the news again.