Both Visa and MasterCard Friday are acknowledging a possible data breach of a payment-card processing company network that, once an investigation is completed, could show that sensitive data from cardholders was stolen and payment fraud committed due to the break-in.
While neither Visa nor MasterCard directly named the payment processor in question, The Wall Street Journal, based on an unnamed source, is now identifying Global Payments of Atlanta, alleging the breach may only impact about 50,000 cardholders. While substantial, that would be far less than the possible 10 million speculated about by security writer Brian Krebs, the first to break the news about the data breach based on what sources told him.
ARCHIVES: 2011's biggest security snafus
Meanwhile, industry analysts also are tapping their own reliable sources. According to Gartner analyst Avivah Litan, an expert in online payments and security, sources in the industry are telling her the data breach started with a break-in by a Dominican national into an online card payments account for a taxi and parking garage in New York City, and may be traced back to a Central American gang.
Litan says that based on her knowledge at present, the data breach started with the criminal answering online authentication questions correctly to so-called knowledge-based systems. Knowledge-based systems require answers to personal questions, such as where did you get married or what is your favorite book. If you could get into the payments system this way, you could also get to a third-party processor, she says, adding she hasn't heard the name Global Payments mentioned.
In her blog, Litan writes, "Looks like the hackers took over an administrative account that was not protected sufficiently."
If this is what the ongoing investigation reveals the circumstances to be, it could mean that knowledge-based systems will not be approved in the way they might be now by Payment Card Industry (PCI) assessors, who oversee and approve computer-based systems used to store sensitive cardholder data.
In its statement about the ongoing investigation into the supposed data breach, Visa said it "is aware of a potential data compromise incident at a third-party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network, VisaNet. Visa has provided payment-card insurers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards."
MasterCard earlier today issued a similar statement.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.