By Julianne Pepitone and Leigh Remizowski
NEW YORK (CNNMoney) — A data breach at a payments processing firm has potentially compromised credit and debit card information from all of the major card brands, representatives from MasterCard and Visa said on Friday.
News of the breach was first reported by the respected security blog Krebs on Security. That article said the breach was “massive,” and could involve more than 10 million card numbers.
The Wall Street Journal followed up with an article saying that processor Global Payments is the vendor that was breached. Global Payments shares fell 9% before trade was halted in the morning. As of 3 p.m. ET, the stock had not resumed trading.
A representative of Global Payments did not respond to a request for comment. The extent of the breach, and what kind of information was compromised, has not been confirmed.
“I’ve spoken with folks in the card business who are seeing signs of this breach mushroom,” Gartner security analyst Avivah Litan wrote Friday in a blog post.
Her sources say the hackers have begun using some of the card data they stole, Litan added.
MasterCard said it has alerted payment card issuers “regarding certain MasterCard accounts that are potentially at risk.”
The company also said the breach is the subject of an ongoing forensic review by an independent data security organization.
Visa released a statement saying it too has provided card issuers with notifications about accounts that could be affected. The issuers “can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards,” it said.
Both MasterCard and Visa emphasized that their own networks had not been penetrated.
Discover said simply: “We are aware of the situation, are monitoring accounts for suspicious activity and will reissue plastics as appropriate.”
None of the three companies would comment on the scale or nature of the breach, but the Journal’s report says the information that was taken could potentially be used to counterfeit new cards. The breach reportedly took place between January 21 and February 25 of this year.
CNN has reached out to the other major credit card brands, including American Express, for comment.
In data breach situations, credit card companies generally offer affected customers fraud monitoring services at no cost — and customers aren’t on the hook for any fraudulent charges. The card issuers themselves are responsible for those costs.
Questions about industry standards: Several security researchers said the breach is a prime example of why the current Payment Card Industry Data Security Standard (PCI-DSS) is inadequate.
“Expect to see yet another round of almost religious fervor in the debate over the real value of PCI-DSS,” Geoff Webb, director of product marketing at data-protection company Credant Technologies, said in an email.
Cybercriminals “are constantly looking for opportunities to identify and attack sites where there is a weakness in security — just like a predator looks out for the weakest member of the herd,” he added.
Litan, the Gartner analyst, is skeptical about whether the credit card industry will invest the money and time required to switch to a more secure system, like “smart cards” embedded with chips, which are used in some foreign countries.
“It’s cheaper for them to deal with these breaches than to make all those chip cards,” Litan told CNNMoney. “We’ve had all of these breaches, but there have not been any significant attempts to change the situation. The information is easy to steal, and cards are easy to use, so it’s like free money for criminals.”