Global Payments' response to the data breach disclosed last week, as well as the card networks' response, followed a familiar script.

As did other processors before it, Global Payments Inc. considered itself compliant with the Payment Card Industry Data Security Standard until it discovered the breach last month (see story).  Now it's not.

The immediate consequence for Global Payments is its removal from Visa Inc.’s list of compliant merchants. Global Payments said it expects eventually to pay a fine and cover the cost of reissued cards.

"Visa has removed us from the PCI compliance list. … Upon reflection, that was not unexpected," Paul R. Garcia, Global Payments' chairman and chief executive, said on an April 2 morning conference call.

The PCI issue is something of a "Catch-22," Garcia said, in that an entity is assumed to be noncompliant if it reports a breach even if it has had no prior issues in demonstrating its compliance.

Otherwise, it's business as usual. Global Payments is still handling Visa transactions and even has signed up new customers since it reported the breach to the card networks, Garcia said.

"We're not precluded from signing up new merchants," he said. "We're literally signing them right now." He did not say how many.

The company said it expects a comparable response from the other card networks.

The pattern played out in 2009 with Heartland Payment Systems and RBS WorldPay, which is no longer a unit of Royal Bank of Scotland (see story). These processors confirmed breaches within months of each other and experienced similar consequences. Both were allowed to handle Visa transactions even after being declared noncompliant with the PCI standard.

Heartland was particularly vocal about how it had passed its PCI assessments for years without issue. After the breach, it stressed that it was investing in new technology to further improve its security beyond what the PCI standard requires (see story).

"I think it's a convenient, but inaccurate, statement to say that a company is certified to be compliant one day and suddenly does something wrong that they're not compliant the next day," said Robert O. Carr, Heartland's chairman and CEO, in a 2009 interview after its breach (see story).

Global Payments estimated that the breach it discovered last month exposed up to 1.5 million card accounts–a large number but far short of the estimated 10 million accounts that had been earlier reported in the media (see story).

The Atlanta-based processor is confident in its estimate, though there is still an ongoing investigation by law enforcement and the card networks, Garcia said.

Global Payments emphasized that the issue was with its own technology, not that of a merchant or an independent sales organization. The incident affected a "handful of servers" in Global Payments' North American processing system, Garcia said.

The breach was discovered–but not prevented–by loss-prevention software Global Payments uses, he said.

Global Payments reported the breach to the networks and to law-enforcement authorities "within hours" of its discovery and has since "contained" the issue, Garcia said.

The breach could have a broad impact on the iundustry, as lawmakers are calling for immediate action to pass long-stalled data-security legislation in the face of the Global's troubles (see story)

What do you think about this? Send us your feedback. Click Here.


Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry