The Global Payments Breach, Media Hype, and the Cost of Fraud

by David Fish 0

It’s been about three weeks since merchantacquiring processor and independent sales organization GlobalPayments Inc. revealed it suffered a security breach. This cameafter news of the incident was leaked to Brian Krebs, aninformation security researcher and blogger. Those who follow theinfosec space witnessed how quickly word can spread once news of adata breach begins to go viral.

On March 30, Twitter exploded with the leaked information thatVisa and MasterCard had begun notifying card issuers of a datasecurity breach at a U.S.-based merchant acquirer processor. Krebs’blog was flooded with web traffic within minutesand, by early afternoon, trading of Global Payments shares werehalted on the New York Stock Exchange. By the end of the day,Global Payments was front page news on Bloomberg, Reuters, Forbes,and several other online news outlets. At that point, it officiallydisclosed the breach in a press release.

Since the disclosure, we have seen no dearth of commentary on thebreach incident, with major news outlets giving the story broadplay in the days following the news leak, and payments industrypubs and websites still giving it a level of attention not seensince news broke of the Heartland Payment Systems breach in 2009.Why?

Well, because the public believes it is in danger, of course! Or socertain elements of the media would have us believe.

Sure, there are very real risks posed to regular folks wheneversensitive data is stolen, whether from medical records or paymentcard details. And last time I checked, identity theft was still ina period of rampant growth. Consumers who experience identity theftend up with hours of work and misery to set things right. But thoseconsumers who have their card numbers stolen in incidents like theone at Global are protected under U.S. federal law and card brandoperating rules against fraudulent transactions on theiraccounts.

Who will end up paying for it? Merchants who accept those cardsfor payment by criminals who use the stolen card data to purchasecommodity goods, or card issuers and merchant acquirers who fallvictim to merchant fraud schemes wherein fraudsters pose ascard-accepting businesses only to run fraudulent transactions. Butthe cost of card fraud is ultimately disseminated back to themasses who may not even notice it in higher prices at checkout orinterest rates on loans and credit cards.

Incidents of data fraud cause immediate expense to the partiesdirectly involved, but the real impact is a gradual erosion of theentire value proposition. Yes, it is Global Payments’responsibility to secure its data systems to the best of itsability, and it will be their fine to pay, but we all pay in theend.