Up To 1.5 Million Visa, MasterCard Credit Card Numbers Stolen

An anonymous reader writes "Global Payments, the U.S.-based credit card processor company that experienced a security breach affecting Visa and MasterCard, confirmed that the breached portion of its processing system was confined to North America. The company also finally revealed how many credit card numbers were stolen: around 1,500,000."

Re:Recourse?

[Bigby]

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

And VISA already dropped Global Payments. Let the market and common law handle this...

Re:Recourse?

[jmauro]

They dropped them from the list of "secure" providers. Global Payments is still authorized to handle VISA credit card payments.

New Security Model

[MetalliQaZ]

That government guy from the cyberwar scare story last week had it right... We need a new security model. Just assume that your credit card numbers, your social security number, etc., are already compromised. Those things were never designed to be secure, and companies that we trust with this data simply can't keep them safe. We just have to accept that the bad guys are all up in our business and adjust our practices accordingly. We could do it.

Re:Recourse?

[SniperJoe]

Actually, that's not true at all. If you fail to report fraudulent transactions within 60 days of statement mailing, the bank and/or credit card company is not responsible for any investigation or repayment under the Fair Credit Billing Act.

http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm [ftc.gov]

Re:Recourse?

[tripleevenfall]

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Aside from this, it seems likely they will notify the people who were affected and issue them new cards if they can identify who they were. It may not be possible to tell which numbers were stolen, only which were exposed.

Re:Recourse?

[Solandri]

Don't do that. The banks and credit card companies have gamed it so that they don't pay for fraud - the merchants do. They've made it the merchant's responsibility to make sure the card is not being used fraudulently, while simultaneously pushing through a law which prohibits declining a card because the user refuses to show ID (because that would, y'know, discourage credit card use*). If you contest a charge and the merchant cannot prove that you actually made the charge (usually a copy of your signature on the charge slip), the processor will reverse the payment. The merchant is out the money and the merchandise. The card processor suffers the minor inconvenience of having to pay someone to field your phone call and having to run a second transaction to reverse the initial purchase. That is why some places will ask for your zip code or home phone number, or won't deliver to anywhere but your home address when you buy with a card. Those are the only tools merchants have to prevent fraud.

* They also pushed through a law prohibiting merchants from charging extra for credit card transactions to cover the additional risk of fraud. Some merchants get around it by offering a cash discount.

Re:Recourse?

[Anonymous Coward]

Posted anon on purpose.

I work for a credit card company and we give out both Visa and Mastercard. When there is a fraud, WE pay the money. If you need a new card WE pay for that new card.

If you contest a charge and there is anything reasonable (so no cash withdrawal with your PIN code) we will FIRST give you the money back, then start the investigation and if there is no actual fraud (or more likely a fraud attempt of the cardholder) he will see it on a later bill.

This means in many cases that the merchant has the money, the customer has nothing to pay and we end up with the bill.

Now if the USofA would start using a modern system like the rest of the world, instead of still using the magnetic strip confirmed by a signature on the card, use the PIN code system with a chip. This seriously will increase security.

As far as we are concerned, if you go to the US, it will cost US money, because of the backwater system that is used.

Almost all of the world has changed to a more secure system, yet the US is somehow unable to get up to speed.

Will it ecxlude all situations or all fraude? No, but it will seriously reduce it. How? If you do not have the code, you can only try to buy stuff on the Internet. The moment the card is noted as stolen, even that won't work, because the card is blocked from that moment on.

Re:Recourse?

[Raenex]

Wait, VISA will still let insecure providers to process transactions?

Global Payments is a huge provider, and Visa couldn't just stop processing payments from them without impacting a huge number of merchants.

(I'm not disputing what you're saying, I just find it amazing they'd let someone who doesn't have good data security anywhere near transactions.)

Even companies who have good security can suffer a breach. I haven't seen any details on what happened, whether it was gross negligence, an inside job, or what. To even be processing with Visa, you have to pass security audits for basic procedures. They'll get whatever went wrong fixed and re-apply for approval.

The real problem here is the reliance on "secret" data (your credit card number) that is published on every transaction. With so many people and organizations involved, it's inevitable that these leaks will happen.

It's 2012. There are much better solutions using smart cards and public/private keys.