The Global Payments Inc. breach and others like it suggest the payment industry should rethink how it protects card data.
Like Heartland Payment Systems and RBS WorldPay in 2009, Global Payments thought it was complying with the Payment Card Industry Data Security Standard–until it discovered the breach.
Now it's kicked off the compliant list, as were the other two processors. Global Payments said April 2 it expects to pay fines and cover the costs of reissuing cards, as Heartland had to do three years ago.
Otherwise it's business as usual, at least for the processor if not for the up to 1.5 million cardholders whose account numbers were stolen. The familiar pattern suggests the PCI standard acts as only a weak deterrent to lax stewardship.
"This, in the end, does more damage to PCI than it does to Global Payments because it pretty clearly calls into question whether PCI compliance is worth anything at all. … You can be totally compliant and still be breached," says Aaron McPherson, a practice director at the Framingham, Mass.-based research firm IDC Financial Insights.
"From an issuer's point of view, you have to assume that nobody is really that secure, that breaches are going to occur and you need to be able to handle it on your own," McPherson says.
Global Payments says it's continuing to sign up merchants even after Visa Inc. removed it from the list of compliant companies. The Atlanta-based processor said it expects the other card networks to react similarly.
Though Global Payments' stock was off by about 3% April 2, Timothy Willi, a senior analyst with Wells Fargo, noted that other processors have lived down data breaches.
"It appears there is concern by some around the issue of PCI compliance and the timeline around recertification and the impact noncompliance will have," Willi wrote in an April 2 research note. "We believe these concerns are unfounded and would point out it took [Heartland] approximately three months to regain its PCI compliance following its breach with no meaningful impact on its business."
A Visa spokesperson referenced an op-ed published after the 2009 Heartland incident. "No compromised entity to date has been found to have been compliant with the standard at the time of the breach," Ellen Richey, Visa's chief enterprise risk officer, wrote in 2009. "PCI validation is not the same as PCI compliance. Annual validation is important, but ongoing vigilance is essential."
Critics of PCI are "missing the larger picture," she wrote. "We must always keep in mind that the standard was never intended to be the sole means of safeguarding data within the payment system."
Paul R. Garcia, Global Payments chairman and chief executive, said during an April 2 conference call the company is caught in a "Catch-22": a company is presumed noncompliant with PCI once it reports a breach even if it has had no previous problems demonstrating its compliance.
But Global Payments is still handling Visa transactions, and "we're not precluded from signing up new merchants," Garcia said. "We're literally signing them right now." (He did not say how many.)
After its breach, Heartland beca,e particularly vocal about how it had passed its PCI assessments for years without issue. The company stressed that it was investing in new technology to further improve its security beyond what the PCI standard requires.
"I thought, in the wake of Heartland that everyone had learned … you can't rest on your laurels in this environment," says Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC.
The PCI standard has some value, as it has led to a reduction in major data breaches, she says. But the industry should not overestimate the standards’ power.
"PCI should not be viewed as a panacea, and it never should have been," McNelley says.
Others say the problem lies with magnetic stripe cards–not just with the PCI standard.
"Everyone that looks at security knows that [mag-stripe] technology is clearly outdated, and PCI compliance hasn't been the answer," says Avivah Litan, a vice president at the Stamford, Conn., market research company Gartner Inc.
The industry can adapt by pushing for stronger payment technology, such as the EMV chip card standard or mobile payments. They can also adopt technology behind the scenes that puts less reliance on the security of other companies that handle payment data.
Global Payments estimates the breach it discovered last month exposed up to 1.5 million card accounts–a large number but far short of the estimated 10 million accounts that had been reported.
The processor is confident in its estimate, though there is still an ongoing investigation by law enforcement and the card networks, Garcia said.
Global Payments emphasized that the issue was with its own technology, not that of a merchant or an independent sales organization. The incident affected a "handful of servers" in Global Payments' North American processing system, Garcia said.
The breach was discovered–but not prevented–by loss-prevention software Global Payments uses, he said.
Global Payments reported the breach to the networks and to law enforcement authorities "within hours" of its discovery and has since "contained" the issue, Garcia said.
The company reported April 2 that revenue for its fiscal third quarter ended Feb. 29 rose 17%, to $533.5 million, from the same period a year earlier. Its diluted earnings per share rose 24%, to 73 cents.