The Global Payments breach and others like it suggest banks need to rethink how they protect card data.
Like Heartland Payment Systems and RBS WorldPay in 2009, Global Payments was thought to be in compliance with the Payment Card Industry data security standard – until it discovered the breach. Now it's been kicked off the compliant list, as were the other two processors. Global Payments said Monday it expects to cover the costs of reissuing cards and may pay a fine or other charge to the card networks, as Heartland had to do three years ago.
Otherwise it's business as usual, at least for the processor if not for the as many as 1.5 million cardholders whose account numbers were stolen. The familiar pattern suggests the PCI standard is a weak deterrent against lax stewardship.
"This, in the end, does more damage to PCI than it does to Global Payments because it pretty clearly calls into question whether PCI compliance is worth anything at all … you can be totally compliant and still be breached," says Aaron McPherson, a practice director at the Framingham, Mass., research firm IDC Financial Insights.
"From an issuer's point of view, you have to assume that nobody is really that secure, that breaches are going to occur and you need to be able to handle it on your own," McPherson says.
Global Payments said Monday it's continuing to sign up merchants even after Visa (NYSE:V) removed it from the list of compliant companies. The Atlanta processor said it expects the other card networks to react similarly.
Even though Global Payments' stock was off by about 3% Monday, Timothy Willi, a senior analyst with Wells Fargo, noted that other processors have lived down data breaches.
"It appears there is concern by some around the issue of PCI compliance and the timeline around recertification and the impact non-compliance will have," Willi wrote in a research note Monday. "We believe these concerns are unfounded and would point out it took [Heartland Payment Systems] approximately three months to regain its PCI compliance following its breach with no meaningful impact on its business."
A Visa spokeswoman referred a reporter to an American Banker op-ed published after the 2009 Heartland incident. "No compromised entity to date has been found to have been compliant with the standard at the time of the breach," wrote Ellen Richey, Visa's chief enterprise risk officer, in 2009. "PCI validation is not the same as PCI compliance. Annual validation is important, but ongoing vigilance is essential."
Critics of PCI are "missing the larger picture," she wrote. "We must always keep in mind that the standard was never intended to be the sole means of safeguarding data within the payment system."
Paul R. Garcia, Global Payments' chairman and chief executive, said on a conference call Monday that the company is caught in a "Catch-22": a company is presumed noncompliant with PCI once it reports a breach even if it has had no prior problems demonstrating its compliance.
But Global Payments is still handling Visa transactions and "we're not precluded from signing up new merchants," Garcia said. "We're literally signing them right now." (He did not say how many.)
After its breach Heartland was particularly vocal about how it had passed its PCI assessments for years without issue. The company stressed that it was investing in new technology to further improve its security beyond what the PCI standard requires.
Be the first to comment on this post using the section below.