Blog post

Is the latest Global Payments breach just one several others out there?

By Avivah Litan | April 02, 2012 | 3 Comments

I just got off the Global Payments call where they talked about their breach. Their breach seems to be very different than the one Visa issued an alert on. Information presented on the timing windows were different and not reconciled during the Global Payments call (Visa reported the exposure window was January 21, 2012 – February 25, 2012, and Global Payments only reported they self-detected the breach early March), the data that may have been stolen was different (Visa reported Track 1 and 2; Global Payment reported only Track 2), and the reports on fraud (Global Payments said they had not heard about fraud on the stolen cards) are different.

Sounds like there’s a lot more going on out there than the payment industry and law enforcement have nailed down and are prepared to talk about.

In the meantime, Global Payments who was PCI compliant at the time of their breach is no longer PCI compliant – and was delisted by Visa – yet they continue to process payments.

What’s the takeaway on PCI? The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.

Comments are closed

3 Comments

  • \Global Payments who was PCI compliant at the time of their breach\

    How do you know? Do you know who assessed them while they were being hacked?

  • Ulf Mattsson says:

    Is Trustwave the QSA?
    Did Amazon host the system?
    Did Accenture recommend the security solution for CHD?

  • Jeff Ogden says:

    Good post, Aviviah. It’s interesting how firms spin the news to put themselves in the best possible light. It also interesting that Global Payments was compliant but not secure.

    This will be an interesting case to watch as the facts continue to emerge.

    Good point on focusing on security rather than compliance too.

    Jeff Ogden