Visa: New payment-processor data breach not so new after all

Days after Visa seemingly confirmed that a data breach had taken place at a third payment processor, following on the recent breach disclosures by Heartland Payment Systems and RBS WorldPay, the credit card company now is saying that there was no new security incident after all.

In actuality, Visa said in a statement issued Friday, alerts that it sent recently to banks and credit unions warning them about a compromise at a payment processor were related to the ongoing investigation of a previously known breach. However, Visa still didn't disclose the identity of the breached company, nor say why it is continuing to keep the name under wraps.

Visa said that it had sent lists of credit and debit card numbers found to have been compromised as part of the investigation to financial institutions "so they can take steps to protect consumers." It added that it currently "is risk-scoring all transactions in real-time, helping card issuers better distinguish fraudulent transactions from legitimate ones."

Visa's latest statement follows ones issued by both it and MasterCard International earlier this week in response to questions about breach notices that had been posted by several credit unions and banking associations. The notices made it clear that they weren't referring to the system intrusion disclosed by Heartland on January 20 and suggested that a new breach had occurred.

Visa's initial statement, and the one from MasterCard, were both carefully worded; neither said specifically that the breach being referred to was a new one, but they also didn't say that it was a previously disclosed incident. Visa said it was "aware that a processor has experienced a compromise of payment card account information from its systems," while MasterCard said it had notified card issuers of a "potential security breach" affecting a payment processor in the US.

MasterCard officials didn't respond Friday to requests seeking clarification on whether its statement referred to a previous breach or a new one.

Benson Bolling, vice president of lending at the Alabama Credit Union, said Friday that officials there had understood the breach to be a new one based on the alerts sent out by Visa - but couldn't say that for sure. According to Bolling, the credit union, which posted an advisory on February 17 and updated it two days later, was informed by Visa of a "big breach" shortly after getting the word about the intrusion at Heartland.

Page Break

The identifying number that was used in the so-called Compromised Account Management System alert issued by Visa appeared to suggest a new breach, because it was different from those used in previous CAMS notices, Bolling said. It was his understanding, he added, that CAMS alerts related to a previous breach would use the same identifier as the original notifications.

Almost 50 percent of the credit and debit cards issued by the ACU have been affected between the Heartland breach and the compromises detailed by Visa in the latest CAMS alert, Bolling said, without disclosing the number of compromised cards.

The Pennsylvania Credit Union Association also issued an advisory, dated February 13, in which it described the recent alerts from Visa and MasterCard as being related to a new breach. "As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor," the PCUA said. The advisory appears to have since been removed from the association's Web site, but a cached version can be found via the Google search engine.

An advisory posted by the Tuscaloosa VA Federal Credit Union also indicated that "another" payment processor had been breached and said that the compromise involved so-called card-not-present transactions, such as those made online or via the phone. Tuscaloosa VA noted that the "window of exposure" provided by both Visa and MasterCard was from February 2008 to this January. And like the PCUA, the credit union said that because the affected payment processor had yet to publicly announce the breach, Visa and MasterCard were unable to identify it.

Heartland has yet to disclose the scope of the breach in its systems, saying that it still doesn't know how many card numbers were compromised. The company, which processes more than 100 million transactions per month, also has yet to specify when exactly the system intrusion took place, beyond saying that malware was operational on its systems "during part of 2008."

RBS WorldPay, the payment processing division of The Royal Bank of Scotland Group, disclosed December 23 that its systems had been breached by unknown intruders, resulting in the compromise of personal information belonging to about 1.5 million owners of prepaid payroll and gift cards (download PDF). The compromised information included the Social Security numbers of 1.1 million people, according to the company, which said it had discovered the breach in early November.