Breach Revives Doubts About Card Industry Security Standard

The Global Payments breach and others like it suggest banks need to rethink how they protect card data.

Like Heartland Payment Systems and RBS WorldPay in 2009, Global Payments was thought to be in compliance with the Payment Card Industry data security standard – until it discovered the breach. Now it's been kicked off the compliant list, as were the other two processors. Global Payments said Monday it expects to cover the costs of reissuing cards and may pay a fine or other charge to the card networks, as Heartland had to do three years ago.

Otherwise it's business as usual, at least for the processor if not for the as many as 1.5 million cardholders whose account numbers were stolen. The familiar pattern suggests the PCI standard is a weak deterrent against lax stewardship.

"This, in the end, does more damage to PCI than it does to Global Payments because it pretty clearly calls into question whether PCI compliance is worth anything at all … you can be totally compliant and still be breached," says Aaron McPherson, a practice director at the Framingham, Mass., research firm IDC Financial Insights.

"From an issuer's point of view, you have to assume that nobody is really that secure, that breaches are going to occur and you need to be able to handle it on your own," McPherson says.

Global Payments said Monday it's continuing to sign up merchants even after Visa (NYSE:V) removed it from the list of compliant companies. The Atlanta processor said it expects the other card networks to react similarly.

Even though Global Payments' stock was off by about 3% Monday, Timothy Willi, a senior analyst with Wells Fargo, noted that other processors have lived down data breaches.

"It appears there is concern by some around the issue of PCI compliance and the timeline around recertification and the impact non-compliance will have," Willi wrote in a research note Monday. "We believe these concerns are unfounded and would point out it took [Heartland Payment Systems] approximately three months to regain its PCI compliance following its breach with no meaningful impact on its business."

A Visa spokeswoman referred a reporter to an American Banker op-ed published after the 2009 Heartland incident. "No compromised entity to date has been found to have been compliant with the standard at the time of the breach," wrote Ellen Richey, Visa's chief enterprise risk officer, in 2009. "PCI validation is not the same as PCI compliance. Annual validation is important, but ongoing vigilance is essential."

Critics of PCI are "missing the larger picture," she wrote. "We must always keep in mind that the standard was never intended to be the sole means of safeguarding data within the payment system."

Paul R. Garcia, Global Payments' chairman and chief executive, said on a conference call Monday that the company is caught in a "Catch-22": a company is presumed noncompliant with PCI once it reports a breach even if it has had no prior problems demonstrating its compliance.

But Global Payments is still handling Visa transactions and "we're not precluded from signing up new merchants," Garcia said. "We're literally signing them right now." (He did not say how many.)

After its breach Heartland was particularly vocal about how it had passed its PCI assessments for years without issue. The company stressed that it was investing in new technology to further improve its security beyond what the PCI standard requires.

"I thought, in the wake of Heartland, that everyone had learned … you can't rest on your laurels in this environment," says Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC.

The PCI standard has some value, as it has led to a reduction in major data breaches, she says. But its power should not be overestimated.

"PCI should not be viewed as a panacea, and it never should have been," McNelley says.

Others say the problem is as much with magnetic-stripe cards as it is with the PCI standard.

"Everyone that looks at security knows that [magnetic-stripe] technology is clearly outdated and PCI compliance hasn't been the answer," says Avivah Litan, a vice president at the Stamford, Conn., market research company Gartner Inc.

Banks can adapt by pushing for stronger payment technology, such as the EMV chip-card standard or mobile payments. They can also adopt technology behind the scenes that puts less reliance on the security of other companies that handle payment data.

Global Payments estimated that the breach it discovered last month exposed up to 1.5 million card accounts — a large number but far short of the estimated 10 million accounts that had been earlier reported in the media.

The processor is confident in its estimate, though there is still an ongoing investigation by law enforcement and the card networks, Garcia said.

Global Payments emphasized that the issue was with its own technology, not that of a merchant or an independent sales organization. The incident affected a "handful of servers" in Global Payments' North American processing system, Garcia said.

The breach was discovered — but not prevented — by loss-prevention software Global Payments uses, he said.

Global Payments reported the breach to the networks and to law enforcement authorities "within hours" of its discovery and has since "contained" the issue, Garcia said.

The company reported Monday that its revenue for its fiscal third quarter, which ended Feb. 29, rose 17% to $533.5 million from the same period a year earlier. Its diluted earnings per share rose 24% to 73 cents.