Global Effects of the Global Breach

Over the past few weeks, the payment industry Web space has been filled with articles spawned by the reported breach of Global Payments. These posts range from intelligent hypotheses based on significant industry experience to wild speculation from scheming salesmen looking to make a quick sale by inspiring fear, uncertainty, and doubt in their potential clients.

If you’re interested in our hypothesis on the breach, you can read Shift4 CEO Dave Oder’s take in the article Global Ramifications. In this blog post, Dave calls for the PCI Council to create a secure way to share pertinent breach details with those of us in the industry that have a legitimate need to know. That idea-sharing, he believes, could help the good guys shore up defenses against the hackers.

What we know about Global’s breach is relatively little. They were breached sometime earlier this year and 1.5 million cards were potentially compromised. That’s about it for the official record. We suspect there is a whole lot more to this situation based on the response of some major industry players who, we expect, may have some insider knowledge of the situation (Visa being prime among them).

Case in point: with no explanation, Visa almost immediately revoked Global’s PCI-compliant status. Within 48 hours of Global’s announcement, Visa went offline for nearly 45 minutes during the middle of the day – on a weekend! They claim this was unrelated to the breach but we’re skeptical (the decision to take the system offline during prime shopping time must have been prompted by some serious security concerns).

A few days later, Global e-mailed all of their resellers and integrators (we loosely fit into the latter category because we process to them) and encouraged them to review the Visa Best Practices for Payment Application Integrators and Resellers. The document, though nearly a year old, was still pertinent following the recent Global breach. It also confirmed the importance of many of the security measures that Shift4 employs. Give it a quick look, it may help you understand why sometimes Shift4 asks so much of you when it comes to security – it’s definitely for your protection.

Ultimately, we don’t know what happened and we may never know. Some of us should know, as it may help us prevent future attacks – but the decision to make that information available to us lies with the card brands and the PCI council… and for now, they’re not telling.

Share |

Archived Comments

Jeff Henschel wrote on 05/01/12 3:27 PM

It appears in the dark is where the Card Brands and the PCI Council would like to keep all of us. they also know how hospitalty merchants are being breached and will not share that information so we can specificaly block known attack points. This is disturbing to me as it puts significant risk on all of us. while we must all remain compliant and deploy the proper security to our environments. It sure would help me sleep better at night knowing i am blocking the known successful attack points.

Nathan Casper wrote on 05/01/12 3:38 PM

Well said, Jeff.

We're actually working on a presentation on just the issues you mentioned. We've pitched it for possible inclusion as a tutorial at HITEC, so keep your eyes open and hopefully we'll be able to shed some light on it then.