Visa: New payment-processor data breach not so new after all

Company says recent breach alerts involved ongoing probe of earlier system intrusion

Days after Visa Inc. seemingly confirmed that a data breach had taken place at a third payment processor, following on the recent breach disclosures by Heartland Payment Systems Inc. and RBS WorldPay Inc., the credit card company is now saying that there was no new security incident after all.

In actuality, Visa said in a statement issued today, alerts that it recently sent to banks and credit unions warning them about a compromise at a payment processor were related to the ongoing investigation of a previously known breach. However, Visa still didn't disclose the identity of the breached company, nor did it say why it is continuing to keep the name under wraps.

Visa said that it had sent lists of credit and debit card numbers found to have been compromised to financial institutions "so they can take steps to protect consumers." The company added that it currently "is risk-scoring all transactions in real time, helping card issuers better distinguish fraudulent transactions from legitimate ones."

Visa's latest statement follows ones that both it and MasterCard International Inc. issued earlier this week in response to questions about breach notices that had been posted by several credit unions and banking associations. The notices made it clear that they weren't referring to the system intrusion disclosed by Heartland on Jan. 20 and suggested that a new breach had occurred.

Visa's initial statement and the one from MasterCard were both carefully worded; neither said specifically that the breach being referred to was a new one, but they also didn't say that it was a previously disclosed incident. Visa said it was "aware that a processor has experienced a compromise of payment card account information from its systems," while MasterCard said it had notified card issuers of a "potential security breach" affecting a payment processor in the U.S.

MasterCard officials didn't respond today to requests seeking clarification on whether its statement referred to a previous breach or a new one.

Benson Bolling, vice president of lending at the Alabama Credit Union in Tuscaloosa, said today that officials there had understood the breach to be a new one based on the alerts sent out by Visa — but couldn't say that for sure. According to Bolling, the credit union, which posted an advisory on Feb. 17 and updated it two days later, was informed by Visa of a "big breach" shortly after getting the word about the intrusion at Heartland.

The identifying number that was used in the so-called Compromised Account Management System alert issued by Visa appeared to suggest a new breach, because it was different from those used in previous CAMS notices, Bolling said. It was his understanding, he added, that CAMS alerts related to a previous breach would use the same identifier as the original notifications.

Almost 50% of the credit and debit cards issued by the credit union have been affected by the Heartland breach or the compromises detailed by Visa in the latest CAMS alert, Bolling said, without disclosing the number of compromised cards.

The Pennsylvania Credit Union Association (PCUA) also issued an advisory, dated Feb. 13, in which it described the recent alerts from Visa and MasterCard as being related to a new breach. "As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor," the PCUA said. The advisory appears to have since been removed from the association's Web site, but a cached version can be found via the Google search engine.

An advisory posted by the Tuscaloosa VA Federal Credit Union in Alabama also indicated that "another" payment processor had been breached and said that the compromise involved so-called card-not-present transactions, such as those made online or via the phone. Tuscaloosa VA noted that the "window of exposure" provided by both Visa and MasterCard was from February 2008 to this January. And like the PCUA, the credit union said that because the affected payment processor had yet to publicly announce the breach, Visa and MasterCard were unable to identify it.

Heartland has yet to disclose the scope of the breach in its systems, saying that it still doesn't know how many card numbers were compromised. The company, which processes more than 100 million transactions per month, also has yet to specify when exactly the system intrusion took place, beyond saying that malware was operational on its systems "during part of 2008."

RBS WorldPay, the Atlanta-based payment processing division of The Royal Bank of Scotland Group PLC, disclosed on Dec. 23 that its systems had been breached by unknown intruders, resulting in the compromise of personal information belonging to about 1.5 million owners of prepaid payroll and gift cards (download PDF). The compromised information included the Social Security numbers of 1.1 million people, according to the company, which said it had discovered the breach in early November.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon