Payment processing company Global Payments said today it is working to regain PCI compliance following a breach announced late last week. Visa removed Global Payments from its list of PCI compliant companies following the breach, in which it has been reported that 1.5 million records were lost. Visa said it will re-evaluate Global Payments after the conclusion of ongoing investigations and remediation measures, according to Paul Garcia, Global Payments chairman and CEO.
What we need to do is complete the investigation portion of this process, and then identify and perform any required remediations at that point, and we’ll do just that. That’s our plan.
senior executive vice president and CFO,
“Upon reflection, this was not unexpected, and we are focused on the remediation measures necessary for full, timely PCI reinstatement,” Garcia said. “We clearly realize that is something we need to do as quickly as possible, and you can be assured we are working very collaboratively with the associations... But they have to make certain that every single thing that we say is fixed. … That’s not days—it’s longer than that, regrettably. We don’t think it’s months, but we have work to do here.”
CFO David Mangum agreed that it is premature to be estimating an exact time frame.
“What we need to do is complete the investigation portion of this process, and then identify and perform any required remediation at that point, and we’ll do just that. That’s our plan,” Mangum said.
Meanwhile, Gartner analyst Avivah Litan wrote in a blog post today that the details Global Payments reported were not the same as the details reported by Visa. Litan wrote:
“Information presented on the timing windows were different and not reconciled during the Global Payments call (Visa reported the exposure window was January 21, 2012 – February 25, 2012, and Global Payments reported they self-detected the breach early March), the data that may have been stolen was different (Visa reported Track 1 and 2; Global Payment reported only Track 2), and the reports on fraud (Global Payments said they had not heard about fraud on the stolen cards) are different.”
The breach, which Global Payments now believes included the payment card numbers of approximately 1.5 million individuals but not their names, addresses, Social Security numbers or other personal information, was self-reported after discovery through existing security measures, Garcia said.
“Just detecting it early is a good thing, but it doesn’t necessarily forgive us from trying to stop it altogether. So we are focused on that aspect of it,” he said. “Are we going to spend even more money (quite frankly) on security? The answer is yes.”
The Global Payments management did not specifically identify steps that would be taken to enhance security following the necessary investigation and compliance remediation measures. They did emphasize that the incident occurred within a subset of their North American processing system rather than through a merchant or point-of-sale system, and that they are not concerned about their relationships with partners and consumers. They are also processing all payment transactions as usual, including Visa transactions.
“I think our merchants and our customers understand that this will make us even stronger,” Garcia said. “This will make us all better… We’re all in this together.”