MasterCard, Visa suffer massive breach


The conventional wisdom about credit card security has been that since the infamous Heartland Payments Systems in 2008, security had ramped up a notch.  From that time forward, there has been a lot of gnashing of teeth. But how much more secure is the industry?

That's hard to say, but the breach of accounts at MasterCard and Visa suggest that while progress may have been made, the bad guys gave stepped up their game as well. Reportedly, both companies have alerted their customers, saying a breach occurred between Jan. 21 and Feb. 25 of this year. The specific location of the breach was at a third-party firm, Global Payments of Atlanta, which helps Visa and MasterCard process card transactions for merchants. As banks have stepped up their security processes, it would appear that these third parties have been targeted, as they represent  a conduit through which sensitive information passes on every transaction.

So what's the harm?

One bank executive estimated that about 1 million to 3 million accounts could be affected. That does not mean all those cards were used fraudulently, but that credit card information on the cardholders was exposed. Respected security journalist Brian Krebs reports that up to 10 million accounts may have been compromised.  That compares with 130 million accounts that were compromised by the Heartland breach, which ultimately cost the firm $140 million in total costs. While the numbers this time are smaller, there's plenty of reason for concern. It will be interesting to see how the big card network operators respond.

This is a huge issue as well for card issuers, including a lot of banks and credit unions. Visa has handed over a list of compromised account numbers to issuers, and issuers just might be forced to issue new cards, on their own dime. They have started their own analytics, and we'll see what they turn up. The really big costs would come if cyber thieves manage to actually steal money via these accounts. In that case, it would be doubtful that retail account holders would be asked to swallow losses. That liability would fall to the issuer, which we presume would have insurance.

The breach does not necessarily mean we will witness a lot of actual outright thefts. Some, of not most, of the information was likely encrypted in compliance with PCI-DSS. Hopefully, that will mitigate the harm, though not the anxiety. -Jim