Share
They are rumors. Yet, why wouldn’t RBS WorldPay jump to deny them? On Friday, Visa issued a statement essentially quashing the speculation of a third credit card processor breach. MasterCard said the same thing in an email to The Tech Herald. The rumored breach is not new. It’s part of an ongoing investigation. Considering the news, it has been announced that Heartland isn’t the culprit, which leaves only one active investigation – RBS WorldPay.
RBS WorldPay has yet to address rumors - are they the third breach? (IMG:SXC)
Seeking comment, The Tech Herald asked both MasterCard and Visa what was happening in the alleged processor breach. Both sent emails back with eerily similar responses.
“The recent alerts Visa sent to card issuers were part of an existing investigation and are not related to a new compromise event. Visa has provided the affected accounts to financial institutions so they can take steps to protect consumers. In addition, Visa is risk-scoring all transactions in real-time, helping card issuers better distinguish fraud transactions from legitimate ones,” said Visa in a statement Monday.
“In response to a potential security breach affecting an acquiring processor in the United States, MasterCard is monitoring developments and has notified issuers of cards that were determined to be improperly accessed by an unauthorized party to monitor for any suspicious account activity and take steps to protect cardholders… Because this incident is the subject of an ongoing investigation, we cannot disclose additional details regarding the incident or otherwise comment at this time,” MasterCard said about an hour later.
The breach is a part of an ongoing investigation, meaning the idea that a new processor was breached turned out to be wrong. With Visa and MasterCard on record, the alerts issued by the various credit unions and banks make sense. When you string the bits of information reported by various credit unions together, you can almost get a profile of the company who has generated all the alerts.
Two processor breaches are still in the investigation phase. They are ongoing because the criminals are not in custody; we know how the data was stolen, just not who stole it.
Heartland Payment Systems, the payment processor that came to mind when word of the “new” breaches started to spread, is the fist major breach. However, once more alerts from credit unions started to appear Heartland was pushed aside.
One alert, pointing out Heartland’s non-involvement, came from Tuscaloosa, VA, Federal Credit Union (TVAFCU).
“…another U.S. acquirer-processor has confirmed a network intrusion exposing primary card numbers and card expiration dates for card-not-present (CNP) transactions. Unlike the Heartland Payment breach, this breach does not expose magnetic stripe track data. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor’s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates,” the TVAFCU stated.
“As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor. It is important to note that this event is not related to the Heartland Payment Systems breach.”
This statement was backed up by a comment to The Consumerist by the Executive Director of Marketing at Heartland, Nancy Gross, who said, “We, too, have heard of a new breach. But, we can say with confidence that it is not at Heartland.”
That leaves one other processor to look at after Heartland, RBS WorldPay. RBS WorldPay reported that a breach of their systems affected 1.5 million cardholders on December 23, 2008. The breach led to a crime spree that is alleged to have netted some of the crooks over $9 million in a single day. The $9 million payday was the result of fake payroll cards used at ATMs in over 100 cities. The numbers used on those fake ATM cards all allegedly originated with the RBS WorldPay breach.
There is another interesting fact related to all of the processor breach hype. It comes from an advisory, left out of many media reports, from Fiserv, who offers processing solutions to businesses.
“The Risk Office Team has received information from Visa and MasterCard regarding the confirmed compromise of a U.S.-based acquirer processor. Please note that the compromised card alerts for this event are not related to the Heartland Data Systems’ breach,” the Fiserv advisory said.
“Visa’s preliminary investigation has revealed the following; A U.S.-based acquirer processor has confirmed unauthorized access to its settlement system. [There is] evidence of a SQL injection on processor server. Data elements at risk are account numbers and expiration dates only. Card not present fraud has been reported. All card brands are involved. Thus far, it has been determined that this is a significant event and we are receiving an increased number of compromised card alerts. Preliminary findings, however, indicate that the scope will be smaller than the recent Heartland breach.”
Both RBS and Heartland process online payments, both would be likely candidates for SQL Injection attack.
What about Bank of America Corporation, Fifth Third Bank, Chase Paymentech Solutions, Global Payments Inc., First Data Corporation, and NOVA Information Systems, Inc? As far as the public is aware, none of them is involved in an ongoing investigation. According to Visa and MasterCard’s statements to The Tech Herald, that is the key criteria in all of this. For that reason, they are excluded.
So what does all this mean? It means that unless Heartland, Visa, MasterCard, and several credit union notices all lied, RBS WorldPay is the source of all the credit alerts and the spark that started everyone talking about a third breach.
Why hasn’t RBS WorldPay said anything? If they are not the source, it would only take a few sentences to clear up. Heartland issued a statement, even Visa and MasterCard issued statements.
So does RBS WorldPay have something they wish to share with the rest of the class, or are we all missing the bigger picture?
What do you think? If it is not RBS WorldPay then who is it? Sound off in the comments.
The Tech Herald: Another payment processor has been breached, but which one?
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story