(February 11,2009) Today, VISA announced that an unnamed processor recently reported that it had discovered a data breach. The processorís name has been withheld pending completion of the forensic investigation.
According to VISA officials, the breach affected all card brands. Evidence indicates that the account number, PAN and expiration dates were stolen. No cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers or other personal information were involved in the breach. VISA officials have indicated that the Account Data Compromise Recovery (ADCR) procedure will not apply to this event. The ADCR process is used exclusively for magnetic-strip data compromise events.
An increase in card-not-present fraud suggests some BIN number have been targeted by criminals. CAMS reports were sent to banks beginning on Monday, February 9, 2009, and are expected to conclude by Friday, February 13, 2009. We have already heard from Illinois bankers that have been affected.
VISA officials reported that while the number of accountholders affected is undetermined, it appears to be fewer than those affected by the recent Heartland Payment Systems breach, but a significant number nonetheless. And unlike the Heartland breach, where thieves also captured Track 2 data, officials reiterated that no personal information was taken in this most recent event.
The status of the processorís PCI compliance is unknown at this time.
Bankers are encouraged to read their daily CAMS reports and monitor CVV responses. Issuers have chargeback rights. MORE TO COMEÖ.