05/01/2012

Global Effects of the Global Breach

Over the past few weeks, the payment industry Web space has been filled with articles spawned by the reported breach of Global Payments. These posts range from intelligent hypotheses based on significant industry experience to wild speculation from scheming salesmen looking to make a quick sale by inspiring fear, uncertainty, and doubt in their potential clients.

If you’re interested in our hypothesis on the breach, you can read Shift4 CEO Dave Oder’s take in the article Global Ramifications. In this blog post, Dave calls for the PCI Council to create a secure way to share pertinent breach details with those of us in the industry that have a legitimate need to know. That idea-sharing, he believes, could help the good guys shore up defenses against the hackers.

What we know about Global’s breach is relatively little. They were breached sometime earlier this year and 1.5 million cards were potentially compromised. That’s about it for the official record. We suspect there is a whole lot more to this situation based on the response of some major industry players who, we expect, may have some insider knowledge of the situation (Visa being prime among them).

Case in point: with no explanation, Visa almost immediately revoked Global’s PCI-compliant status. Within 48 hours of Global’s announcement, Visa went offline for nearly 45 minutes during the middle of the day – on a weekend! They claim this was unrelated to the breach but we’re skeptical (the decision to take the system offline during prime shopping time must have been prompted by some serious security concerns).

A few days later, Global e-mailed all of their resellers and integrators (we loosely fit into the latter category because we process to them) and encouraged them to review the Visa Best Practices for Payment Application Integrators and Resellers. The document, though nearly a year old, was still pertinent following the recent Global breach. It also confirmed the importance of many of the security measures that Shift4 employs. Give it a quick look, it may help you understand why sometimes Shift4 asks so much of you when it comes to security – it’s definitely for your protection.

Ultimately, we don’t know what happened and we may never know. Some of us should know, as it may help us prevent future attacks – but the decision to make that information available to us lies with the card brands and the PCI council… and for now, they’re not telling.