Global Payments' response to the data breach disclosed last week, as well as the card networks' response, followed a familiar script.
Like other processors before it, Global Payments (GPN) was considered compliant with the Payment Card Industry data security standard until it discovered the breach last month. Now it's not.
The immediate consequence for Global Payments is its removal from Visa's (NYSE:V) list of compliant merchants. Global Payments said it expects to eventually cover the cost of reissued cards and may pay a fine or other charge to the card networks.
"Visa has removed us from the PCI compliance list … upon reflection, that was not unexpected," said Paul R. Garcia, Global Payments' chairman and chief executive, on a Monday morning conference call.
The PCI issue is something of a "Catch-22," Garcia said, in that an entity is assumed to be noncompliant if it reports a breach even if it has had no prior issues in demonstrating its compliance.
Otherwise, it's business as usual. Global Payments is still handling Visa transactions and has even signed up new customers since it reported the breach to the card networks, Garcia said.
"We're not precluded from signing up new merchants," he said. "We're literally signing them right now." (He did not say how many.)
The company said it expects a comparable response from the other card networks.
The pattern played out in 2009 with Heartland Payment Systems and RBS WorldPay (which is no longer a unit of Royal Bank of Scotland). These processors confirmed breaches within months of each other and suffered similar consequences. Both were allowed to handle Visa transactions even after being declared noncompliant with the PCI standard.
Heartland was particularly vocal about how it had passed its PCI assessments for years without issue. After the breach, it stressed that it was investing in new technology to further improve its security beyond what the PCI standard requires.
"I think it's a convenient, but inaccurate, statement to say that a company is certified to be compliant one day and suddenly does something wrong that they're not compliant the next day," said Robert O. Carr, Heartland's chairman and CEO, in a 2009 interview after its breach.
Global Payments estimated that the breach it discovered last month exposed up to 1.5 million card accounts — a large number but far short of the estimated 10 million accounts that had been earlier reported in the media.
The Atlanta processor is confident in its estimate, though there is still an ongoing investigation by law enforcement and the card networks, Garcia said.
Global Payments emphasized that the issue was with its own technology, not that of a merchant or an independent sales organization. The incident affected a "handful of servers" in Global Payments' North American processing system, Garcia said.
The breach was discovered — but not prevented — by loss prevention software Global Payments uses, he said.
Global Payments reported the breach to the networks and to law enforcement authorities "within hours" of its discovery and has since "contained" the issue, Garcia said.