Global Payments breach: Understanding the role of processors in the credit card transaction chain

Linda Musthaler
By | April 02, 2012

Posted in: Network Security Trends

The Global Payments credit card data breach investigation s still in its early stages, and right now the full extent of the situation is yet to be determined. In a press conference this morning, senior executives from GPN did say that the breach is fully contained and the company has a team of security experts and law enforcement professionals on the investigation.  The company says no more than 1.5 million records were stolen.

I want to put a little bit of context around this breach so that as you read further reports, you can understand the payments processing chain and the ramifications of a breach at this level.

What is a payments processor and what is its role in a payment transaction?

Credit card payment processors, such as  Global Payments,  are the middle men that accept credit and debit card transactions from merchants and determines where they need to be routed so that money can ultimately change hands.

Let’s say, for example, that you have a credit card issued by Wells Fargo ( the “issuer”), with the Visa (called the “network” or “card association”) logo on it. You go to a clothing store and pull out your Visa card to make your purchase. The merchant swipes your card and sends the critical transaction information – more on this later – to a processor for routing to Visa. (While there are literally millions of merchants in the U.S., there are fewer than a dozen major processors in the country.)

Visa receives the transaction information and sees that Wells Fargo issued the credit card. Visa forwards the transaction to Wells Fargo, which is the company that owns the agreement for that card with you. Based on various parameters, the bank determines whether or not it wants to allow the transaction, and if it is approved, sends an authorization code back to Visa. Visa, in turn, sends it to the processor, which routes the approval to the merchant. When the merchant receives the “OK” code from the payments chain, it concludes the sale and off you go with your new clothes.

You can see that many companies handle the sensitive transaction data. The main role of the processor is to collect data from merchants and route it to the proper network and issuer, and to send the bank’s authorization code back to the merchant.

What kind of data was exposed in the Global Payments breach and how can it be monetized?

According to published reports, hackers are suspected to have accessed Track 1 and Track 2 data, although GPN now states it believes it was only Track 2 data. Among other data bits, Track 1 contains the Primary Account Number (PAN), the card’s expiration data, and the cardholder’s name. Track 2 contains similar data necessary for processing a transaction.

In the United States, this data is embedded within the magnetic stripe on the back of a credit/debit card. Because the technology of the magnetic stripe is so old (four decades!), the data is not encrypted. It is possible for a thief to create a counterfeit card using Track 1 and Track 2 data from a legitimate card or account by imprinting it onto a blank plastic card. In the underground economy, thieves buy and sell this type of credit card data all the time. (Read my previous post “A peek into the underground economy and the market for stolen credit cards.”)

PSCU, a provider of online financial services to credit unions, has reported that 876 accounts whose data was reportedly stolen from Global Payments have already seen fraudulent activity. (GPN says it’s not aware of any fraudulent transactions.) PSCU reports the activity has been geographically dispersed, which would not be surprising from a processor breach. Global Payments services merchants all over the world, so you would expect that the stolen card data would come from cards issued in numerous locations.

The good news is that Visa, MasterCard, and other networks that processed these payments can identify the accounts that may have been compromised. They have already notified the issuing banks of these accounts, and the banks can take appropriate action to prevent further fraud. This might mean closing a card holder’s account and issuing a new card. It may include scrutinizing every transaction from an account known or suspected to have been accessed by the hacker. It will likely mean notifying the affected cardholders and offering to pay for a credit watch. (Almost every state requires that cardholders be notified if their cards are even suspected of being compromised.)

How could this breach happen?

GPN is emphatic in its assertion that the breach didn’t happen at the merchant level, which is inherently the weakest point of the payments process. Global Payments has acknowledged that it was their own systems that were hacked.

The most troubling aspect of this breach is that it could happen at all. Because payment processors handle so much sensitive data, they have quite a few layers of security around their processes and the data they handle. Data is encrypted at rest and in transit, but it is in the clear as it’s being used. Could a hacker have gotten into the memory of the computers at Global Payments? If so, how?

In the weeks and months ahead, it will be very interesting to hear how a hacker managed to compromise the system. I’ve read reports that indicate an administrator account may have been involved. We’ll see. Let’s let the forensic investigators do their jobs and find the weak link so it can be strengthened to prevent further breaches—not just for GPN, but for every company involved in processing payments.

You May Also Be Interested In: