Visa and MasterCard on Friday were trying to determine the extent of a possible security breach at a third-party vendor that experts say could compromise the credit-card and debit-card information of millions of Americans.
The two companies say they have notified law enforcement officials and alerted banks about the potential data theft, even as they seek to assure customers that their own systems had not been breached.
Both companies also emphasized that customers are not held responsible for any fraudulent purchases made on their cards.
George Ogilvie, a spokesman for the Secret Service, confirmed that the agency is investigating the matter but declined to elaborate, saying the inquiry is ongoing.
The security lapse involved Global Payments, an Atlanta-based firm that describes itself as “one of the world’s largest electronic transaction processing companies.”
In a statement Friday afternoon, Global Payments said it had determined in early March that “card data may have been accessed.” It said that company officials immediately contacted federal law enforcement, brought in information technology forensics experts to investigate and notified “appropriate industry parties to allow them to minimize potential cardholder impact.”
“It is reassuring that our security processes detected an intrusion. It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” Global Payments chief executive Paul Garcia said.
Global Payments stock fell more than 9 percent on news of its involvement in the data breach before trading on it was halted about noon EDT. The company said it was continuing to investigate and would hold a conference call at 8 a.m. Monday.
Both Mastercard and Visa on Friday were quick to assure customers that their own systems remained safe and that they had alerted banks to any potential problems.
Mastercard said in a statement that its “own systems have not been compromised.” Visa officials also insisted that there had been “no breach of Visa systems” and that it had contacted card issuers with details about accounts that might have been compromised “so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.”
In addition to notifying law enforcement and banks, MasterCard said Friday that an independent data-security organization was conducting an ongoing forensic review of the matter.
Brian Krebs, a computer security expert who first reported the theft on his blog KrebsonSecurity.com, wrote that sources in the financial sector had described the data theft to him as “massive” and believed it could involve more than 10 million compromised card numbers.
Avivah Litan, a Maryland-based fraud analyst at the information technology research firm Gartner, said Friday that she had spoken with contacts in the card business “who are seeing signs of this breach mushroom” and also believe the number of compromised numbers would reach into the millions. She said it appears that the breach at least partially involved a parking and garage company i n the New York City area.
“The industry has spent billions of dollars on trying to secure the payment systems. … They have been at this for years, trying to get merchants and payment processors and taxicabs and everything to secure their payment systems, and it’s just not working,” Litan said in an interview.
She said the United States lags behind many countries that have migrated to microchip technology in credit cards, which have cut back significantly on fraud. “We’re the only developed country that’s not using it,” Litan said.
Neither MasterCard nor Visa actually issues cards to consumers or lends money. Banks such as Wells Fargo and Bank of America typically issue the cards, while MasterCard and Visa oversee the individual transactions and charge merchants fees each time a card is swiped.
The latest incident is part of an ongoing string of electronic attacks against corporations, schools and government agencies that have repeatedly put the confidential information of Americans at risk. Last June, for instance, hackers breached a network at Citigroup and gained access to credit card data for more than 360,000 North American customers.
According to a report by the research firm Javelin, identity fraud increased during 2011 by 13 percent, and more than 11.6 million U.S. adults became victims.
One key factor behind the increase in fraud, the firm found, was the 67 percent increase in the number of Americans affected by data breaches. Research showed that victims of data breaches are 9.5 times more likely to fall prey to identify fraud than customers who had not received notice of a potential data breach.