Hacker forces some banks to cancel Visa debit cards

Computerworld - Falls Church, Va.

Several banks in the Washington area have been forced to cancel and reissue thousands of Visa debit cards after a hacker allegedly intercepted a file containing purchase data from a local online merchant.

	Fighting Back Participants in the Verified By Visa Program Tickets.com Buy.com FirstChocolate.com TheLostToys.com JencoTreasures.com GreatGolfEvents.com Soon to be added Target.com Dell.com CompUSA.com 1-800-flowers.com McAfee.com CDnow.com GiftCatalog.com MarshallFields.com Ashford.com

This comes two weeks after Washington-based Riggs Bank sent letters to 3,000 of its customers informing them that a local online merchant's customer database containing their Visa debit card numbers had been hacked and compromised. Officials at First Virginia, Riggs, Visa International Inc. and the FBI declined to name the retail operation where the data originated.

All the payment data belonged to customers who had made purchases from an online merchant in the Washington area. However, Visa declined to say whether the data was taken directly from a system belonging to the merchant or from one of the many companies that process electronic payments between online retailers and Visa.

Visa characterized the incident as "a potential compromise of cardholder data stored on a third party's computer."

First Virginia has "no way of knowing which merchant it is that had their database hacked," said Rick Bowman, the bank's chief financial officer. "Visa does not disclose that information."

A Riggs official, who spoke on condition of anonymity, said, "It would not be fair to identify the merchant" because the matter is still under investigation by the FBI and the incident could have been the result of security holes at one of several third-party companies that process Visa transactions. To date, there is no evidence of fraud stemming from the incident, the official said.

News of the incident comes as Foster City, Calif.-based Visa is unveiling incentives for online retailers to adopt its Visa Authenticated Payment system. Announced Sept. 4, the payment system is designed to help those merchants conduct real-time verification of the identities of Internet shoppers.

Mike Yakel, vice president of Visa USA's e-Visa division, said all online payment transactions go through "an acquirer," or third-party payment vendor, that submits the purchase from the merchant to the Visa system over the Internet. There are 50 to 100 companies nationwide that provide payment services.

"Because the Internet is an open network, there is far more potential that the data could be accessed by somebody," said Yakel.

Starting next year, a new Visa policy will require online merchants to offer encryption protection to cardholders during their online purchases. Any electronic merchant participating in the Verified by Visa program satisfies this requirement.

Yakel said banks that issue cards and sponsor payment vendors to become part of the Verified by Visa initiative also assume liability and have a responsibility to prevent security breaches from occurring.

Read more about security in Computerworld's Security Knowledge Center.