On Friday, March 30, credit card transaction processor Global Payments announced it had identified a breach of its processing system and that as many as 1.5 million card numbers may have been stolen. Visa has subsequently removed Global Payments from its PCI (Payment Card Industry) compliance list.
For car rental operators or any merchant using Global Payments’ services, this is cause for concern. Here is what we know culled from statements made by CEO Paul Garcia in a conference call with investors Monday morning, statements disseminated by Global Payments on its website, calls with Global Payments representatives and statements from Visa.
On the conference call, Garcia said that the theft was confined to North America and that cardholder names, addresses, social security numbers or consumer banking information were not obtained by the criminals. The attack was confined to a few North American servers. It is important to note that the potential 1.5 million card numbers are a mere fraction of the millions of accounts processed through Global Payments.
News reports surfaced that fraudulent activity had been linked to some of those accounts. Those news reports have been discredited. No fraudulent activity has been reported on those accounts, according to Global Payments.
Most importantly for car rental companies, no merchant accounts have been affected. Global Payments continues to process Visa transactions in the same manner. A Visa spokesperson confirmed this.
“I cannot stress more vehemently that this does not involve our merchants, our sales partners or their relationships with their customers,” Garcia said on the call. “Neither merchant systems nor point-of-sale devices were involved in any way.”
Car rental companies and other merchants do not have a responsibility to notify clients of this breach. In general, the merchant has no liability in this matter.
Questions arose whether removal from Visa’s PCI compliance list would expose merchants to possible chargebacks or other costs. Those procedures haven’t changed. A Visa spokesperson reiterated that point-of-sale merchants are generally not held liable for fraudulent transactions provided they follow proper procedure. The incident has no impact on transaction processing or normal chargeback processes.
Garcia said Global Payments has the situation contained. When will Visa reinstate Global Payments on its PCI compliance list? No one can say, but the timeline is dependent on finishing the investigation. Regardless, Garcia said he expects the company will be reinstated once it has been issued a new report of compliance.
On questioning during the conference call, Garcia was asked if the company will step up R&D or system spending as a result. “Are we going to spend even more amount of money, quite frankly, on security?” responded Garcia. “The answer is yes.”
For updates on the data breach, visit www.2012infosecurityupdate.com.