Gartner Blog Network


Is the latest Global Payments breach just one several others out there?

by Avivah Litan  |  April 2, 2012  |  13 Comments

I just got off the Global Payments call where they talked about their breach. Their breach seems to be very different than the one Visa issued an alert on. Information presented on the timing windows were different and not reconciled during the Global Payments call (Visa reported the exposure window was January 21, 2012 – February 25, 2012, and Global Payments only reported they self-detected the breach early March), the data that may have been stolen was different (Visa reported Track 1 and 2; Global Payment reported only Track 2), and the reports on fraud (Global Payments said they had not heard about fraud on the stolen cards) are different.

Sounds like there’s a lot more going on out there than the payment industry and law enforcement have nailed down and are prepared to talk about.

In the meantime, Global Payments who was PCI compliant at the time of their breach is no longer PCI compliant – and was delisted by Visa – yet they continue to process payments.

What’s the takeaway on PCI? The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.

Category: 

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio


Thoughts on Is the latest Global Payments breach just one several others out there?


  1. […] MasterCard reported, and what Global Payments said, according to Gartner analyst Avivah Litan. In a blog post April 2, she noted that the credit card companies said that Track 1 data—including cardholder names and […]

  2. […] none of those details match those of the Global Payments hack, which has opened up the discussion over whether or not the Global Payments breach was simply one of […]

  3. […] MasterCard reported, and what Global Payments said, according to Gartner analyst Avivah Litan. In a blog post April 2, she noted that the credit card companies said that Track 1 data—including cardholder names and […]

  4. […] Monday’s conference call, Avivah Litan of Gartner says in a blog post that there are several details that do not line up. For example, though Visa reported that the exposure window was between January 21, 2012 and […]

  5. \Global Payments who was PCI compliant at the time of their breach\

    How do you know? Do you know who assessed them while they were being hacked?

  6. […] fraud has already happened. It is difficult to pinpoint the amount, since card fraud has become a near-constant reality for financial institutions of any […]

  7. […] rascal has already happened. It is formidable to pinpoint a amount, given card rascal has turn a near-constant reality for financial institutions of any […]

  8. Ulf Mattsson says:

    Is Trustwave the QSA?
    Did Amazon host the system?
    Did Accenture recommend the security solution for CHD?

  9. Jeff Ogden says:

    Good post, Aviviah. It’s interesting how firms spin the news to put themselves in the best possible light. It also interesting that Global Payments was compliant but not secure.

    This will be an interesting case to watch as the facts continue to emerge.

    Good point on focusing on security rather than compliance too.

    Jeff Ogden

  10. […] fraud has already happened. It is difficult to pinpoint the amount, since card fraud has become a near-constant reality for financial institutions of any […]

  11. […] hard t&#959 pinpoint th&#1077 amount, &#1109&#1110n&#1089&#1077 card fraud h&#1072&#1109 become a near-constant reality f&#959r financial institutions &#959f &#1072n&#1091 […]

  12. […] rascal has already happened. It is formidable to pinpoint a amount, given card rascal has turn a near-constant reality for financial institutions of any […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.