Credit Card Transactions: A Data Breach Waiting to Happen
Last week, Global Payments, Inc., an electronic transactions processor for, among others, VISA and MasterCard, reported a large data breach. According to Global Payments, intruders obtained ”track 2″ credit card data on 1.5 million cardholders.
Track 2 refers to a portion of the data contained on the credit card’s magnetic stripe [pdf]. Track 2 data includes card numbers and expiration dates. Track 1 data, which was not part of this incident, typically includes cardholder names and addresses.
With this sort of data maintained by credit card processors, it is not surprising that they make a tempting target. In fact, processors are just one part of a complex payment system that is fraught with peril. Let’s take a look at what happens in a typical credit card transaction:
- The customer submits a credit card for payment to a merchant.
- The credit card company routes the data on behalf of the merchant to a processor.
- The processor for the merchant’s bank submits the transaction to a credit card network like MasterCard or Visa.
- The credit card network routes the transaction to the bank that issued the credit card to the customer.
- The issuing bank approves or declines the card purchase.
- The credit card network sends the transaction back to the processor.
- The credit card processing company stores the transaction results.
- The issuing bank sends the appropriate funds for the transaction to the credit card network, which in turn passes the funds on to the merchant bank.
Whew! – remember that the next time you swipe your card at the gas station. Of course, any weak link in the processing chain could be a point of attack for a hacker. While the payment card industry (PCI) maintains security standards, the Global Payments breach demonstrates that even comprehensive standards will not stop a determined attacker.
In the wake of this incident, VISA dropped Global Payments from its list of approved providers. VISA’s action is a cautionary note for all businesses. A data breach can have severe consequences, not only in the costs of responding to the breach itself, but also for future business relations.