Atlanta-based Global Payments, Inc., was the latest payment processor to have its mission-critical information accessed in an unauthorized manner by hackers this past Friday. The fallout extends far beyond the possible exposure of up to 1.5 million accounts maintained by the seventh-largest payment processor. The high-profile customers that this relatively unknown company represents includes businesses, like Caesars Entertainment, Corp., and FTD Florists. In addition to reassuring those critical accounts that their data is secure, Global Payments was removed by Visa, Inc., from its list of compliant third-party vendors – the expectation is that MasterCard will follow suit. Lastly, shares in the company dropped 9% at the close of trading on Friday at the New York Stock Exchange.
With such dire consequences related to the data breach, Global Payments customers, customer (i.e. consumers) do not seem to be too worried that the data breach could potentially expose them to fraud. The reasoning behind this “it’s not my problem” mentality is that the consumer is not on the hook for any fraudulent transactions happening on their account. Vigilant credit-monitoring is the consumers’ main priority, and once fraud has been detected, the risk is transferred to the bank for indemnification. The consumers’ financial institution is the one who suffers the loss – which arguably is where the fault should ultimately lie (i.e. get better servers or do business with partners who operate on a secure network).
What’s always interesting is how credit card companies like Visa, Inc., MasterCard, Inc., Discover Financial Services, and American Express, Co., scatter like cockroaches when the light turns on, over a data breach. Like magic, Visa removed Global Payments from its list of compliant vendors over the weekend, which makes one ponder, at what point was Global Payments not compliant? Before the breach? During the breach? After the breach? If they were compliant before the breach, then shouldn’t the efficacy of Visa’s compliance program (i.e. PCI/DSS) be called into question? What is the incenctive for Global Payments to implement a PCI/DSS process if at the end of the day, they are the ones with all the risk?