Global Payments' response to the data breach disclosed last week, as well as the card networks' response, followed a familiar script.
As did other processors before it, Global Payments Inc. considered itself compliant with the Payment Card Industry Data Security Standard until it discovered the breach last month. Now it's not.
The immediate consequence for Global Payments is its removal from Visa Inc.’s list of compliant merchants. Global Payments said it expects eventually to pay a fine and cover the cost of reissued cards.
"Visa has removed us from the PCI compliance list. … Upon reflection, that was not unexpected," Paul R. Garcia, Global Payments' chairman and chief executive, said on an April 2 morning conference call.
The PCI issue is something of a "Catch-22," Garcia said, in that an entity is assumed noncompliant if it reports a breach even if it has had no prior issues in demonstrating its compliance.
Otherwise, it's business as usual. Global Payments is still handling Visa transactions and even has signed up new customers since it reported the breach to the card networks, Garcia said.
"We're not precluded from signing up new merchants," he said. "We're literally signing them right now." He did not say how many.
The company said it expects a comparable response from the other card networks.
The pattern played out in 2009 with Heartland Payment Systems and RBS WorldPay, which is no longer a unit of Royal Bank of Scotland. These processors confirmed breaches within months of each other and experienced similar consequences. Both were allowed to handle Visa transactions even after being declared noncompliant with the PCI standard.
Heartland was particularly vocal about how it had passed its PCI assessments for years without issue. After the breach, it stressed that it was investing in new technology to further improve its security beyond what the PCI standard requires.
"I think it's a convenient, but inaccurate, statement to say that a company is certified to be compliant one day and suddenly does something wrong that they're not compliant the next day," said Robert O. Carr, Heartland's chairman and CEO, in a 2009 interview after its breach.
Global Payments estimated that the breach it discovered last month exposed up to 1.5 million card accounts–a large number but far short of the estimated 10 million accounts that had been reported.
The Atlanta-based processor appears confident in its estimate, though there is still an ongoing investigation by law enforcement and the card networks, Garcia said.
Global Payments emphasized that the issue was with its own technology, not that of a merchant or an ISO. The incident affected a "handful of servers" in Global Payments' North American processing system, Garcia said.
The breach was discovered–but not prevented–by loss-prevention software Global Payments uses, he said.
Global Payments reported the breach to the networks and to law-enforcement authorities "within hours" of its discovery and has since "contained" the issue, Garcia said.
The breach could have a broad impact on the industry, as lawmakers are calling for immediate action to pass long-stalled data-security legislation in the face of the Global's troubles.