Credit Card Transactions: A Data Breach Waiting to Happen

Last week, Global Payments, Inc., an electronic transactions processor for, among others, VISA and MasterCard, reported a large data breach.    According to Global Payments, intruders obtained ”track 2″ credit card data on 1.5 million cardholders.

Track 2 refers to a portion of the data contained on the credit card’s magnetic stripe [pdf].  Track 2 data includes card numbers and expiration dates.  Track 1 data, which was not part of this incident, typically includes cardholder names and addresses.

With this sort of data maintained by credit card processors, it is not surprising that they make a tempting target.  In fact, processors are just one part of a complex payment system that is fraught with peril.  Let’s take a look at what happens in a typical credit card transaction:

• The customer submits a credit card for payment to a merchant.
• The credit card company routes the data on behalf of the merchant to a processor.
• The processor for the merchant’s bank submits the transaction to a credit card network like MasterCard or Visa.
• The credit card network routes the transaction to the bank that issued the credit card to the customer.
• The issuing bank approves or declines the card purchase.
• The credit card network sends the transaction back to the processor.
• The credit card processing company stores the transaction results.
• The issuing bank sends the appropriate funds for the transaction to the credit card network, which in turn passes the funds on to the merchant bank.

Whew! – remember that the next time you swipe your card at the gas station.  Of course, any weak link in the processing chain could be a point of attack for a hacker.  While the payment card industry (PCI) maintains security standards, the Global Payments breach demonstrates that even comprehensive standards will not stop a determined attacker.

In the wake of this incident, VISA dropped Global Payments from its list of approved providers.  VISA’s action is a cautionary note for all businesses.  A data breach can have severe consequences, not only in the costs of responding to the breach itself, but also for future business relations.