Hacker forces some banks to cancel Visa debit cards
Incident highlights security vulnerabilities at some third-party payment vendors
Computerworld - Falls Church, Va.
Several banks in the Washington area have been forced to cancel and reissue thousands of Visa debit cards after a hacker allegedly intercepted a file containing purchase data from a local online merchant.
![]()
![]()
![]()
Fighting Back
Participants in the Verified By Visa Program
Tickets.com
Buy.com
FirstChocolate.com
TheLostToys.com
JencoTreasures.com
GreatGolfEvents.com
Soon to be added
Target.com
Dell.com
CompUSA.com
1-800-flowers.com
McAfee.com
CDnow.com
GiftCatalog.com
MarshallFields.com
Ashford.com
First Virginia Banks Inc. in Falls Church, Va., last week began notifying 500 of its customers that their card numbers and expiration dates, phone numbers and addresses had been compromised. Likewise, Atlanta-based SunTrust Banks Inc., which has branch offices in northern Virginia, Washington and Maryland, began monitoring several customer accounts that may have been compromised.
This comes two weeks after Washington-based Riggs Bank sent letters to 3,000 of its customers informing them that a local online merchant's customer database containing their Visa debit card numbers had been hacked and compromised. Officials at First Virginia, Riggs, Visa International Inc. and the FBI declined to name the retail operation where the data originated.
All the payment data belonged to customers who had made purchases from an online merchant in the Washington area. However, Visa declined to say whether the data was taken directly from a system belonging to the merchant or from one of the many companies that process electronic payments between online retailers and Visa.
Visa characterized the incident as "a potential compromise of cardholder data stored on a third party's computer."
First Virginia has "no way of knowing which merchant it is that had their database hacked," said Rick Bowman, the bank's chief financial officer. "Visa does not disclose that information."
A Riggs official, who spoke on condition of anonymity, said, "It would not be fair to identify the merchant" because the matter is still under investigation by the FBI and the incident could have been the result of security holes at one of several third-party companies that process Visa transactions. To date, there is no evidence of fraud stemming from the incident, the official said.
News of the incident comes as Foster City, Calif.-based Visa is unveiling incentives for online retailers to adopt its Visa Authenticated Payment system. Announced Sept. 4, the payment system is designed to help those merchants conduct real-time verification of the identities of Internet shoppers.
Mike Yakel, vice president of Visa USA's e-Visa division, said all online payment transactions go through "an acquirer," or third-party payment vendor, that submits the purchase from the merchant to the Visa system over the Internet. There are 50 to 100 companies nationwide that provide payment services.
"Because the Internet is an open network, there is far more potential that the data could be accessed by somebody," said Yakel.
Starting next year, a new Visa policy will require online merchants to offer encryption protection to cardholders during their online purchases. Any electronic merchant participating in the Verified by Visa program satisfies this requirement.
Yakel said banks that issue cards and sponsor payment vendors to become part of the Verified by Visa initiative also assume liability and have a responsibility to prevent security breaches from occurring.
Read more about Security in Computerworld's Security Topic Center.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- X-Ray of the PCI Process-4 Proactive Steps
- This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into...
- Identity Governance: The Business Imperatives
- This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make... All Security White Papers
- Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game - When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
- Introduction to VMware vCenter Site Recovery Manager 5
- Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
- The Top Ten Secrets to Avoiding SAN Performance Problems
- Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
- Deduplication Without Compromise
- Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
- Director of Disk Products Discusses DXi6700
- Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts