Feb 212009
 

My googling skills are paying off. Found this on TVACU.com: (not CardNet as originally cited; the CardNet notice is provided below the TVACU.com notice)

On the heels of the Heartland Payment Systems breach, another U.S. acquirer-processor has confirmed a network intrusion exposing primary card numbers and card expiration dates for card-not-present (CNP) transactions. Unlike the Heartland Payment breach, this breach does not expose magnetic stripe track data. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor’s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates.

As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor. It is important to note that this event is not related to the Heartland Payment Systems breach.

Visa began releasing affected accounts on Monday, February 9, 2009 under CAMS event series US- 2009-0088-IC. They expect to have all accounts released by Friday, February 13. MasterCard began releasing accounts on Wednesday, February 11, 2009 under MC Alert series MCA0150-US-09. They have not provided any information as to when they expect to have all their accounts released. The current window of exposure provided by both card associations is from February 2008 through January 2009. The only data elements at risk are account number and expiration date. No track data, PIN, CVV2/CVC2 data or cardholder-identifying information was captured. As in all events, it is the issuer’s decision whether or not a block and/or reissue decision is warranted. However, we would like to emphasize that this event carries a lower level of risk than the Heartland compromise.

[...]

NEW Data Security Breach (Visa 2009-088-IC) – Thursday, February 12, 2009
Visa held a conference call today to alert Members about a new compromise that they recently became aware of. We have been advised that some credit unions have already begun to see the Alerts in Compromise Manager, however the they have not yet been distributed via E-Reports. We anticipate they will begin arriving tomorrow, Friday, February 13, 2009. Here is what we know so far:

The security breach occurred at a Merchant Processor. Visa is not disclosing the name or location of the Merchant Processor.

This is a very large compromise, similar to the Heartland compromise, but slightly smaller.

There are going to be at least 24 different alerts.

Track Data WAS NOT compromised, only account numbers and expiration dates.

Compromise data is not sufficient to create counterfeit cards that would lead to card present fraudulent transactions.

Period of exposure is transactions from about February 2008 through August 2008.

[...]

Updated: Pennsylvania Credit Union Association CardNet shows:

New Data Security Breach (Visa – 2009-088-IC & MasterCard 150-US-09) – More Information – Friday, February 13, 2009

Earlier this week, Visa and MasterCard began issuing accounts involved in a merchant processor breach. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor’s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. No magnetic stripe track data has been identified at risk in this alert. As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor.

It is important to note that this event is not related to the Heartland Payment Systems breach. While it has been confirmed that malicious software was placed on the processor’s platform, there is no forensic evidence that accounts were viewed or taken by the hackers. Since the final forensic report has not been provided there is no estimate available at this time of the number of accounts involved in this event. Law enforcement is activity engaged in an investigation into this situation.

Visa began releasing affected accounts on Monday, February 9, 2009 under CAMS event series US- 2009-0088-IC. They expect to have all accounts released by Friday, February 13. MasterCard began releasing accounts on Wednesday, February 11, 2009 under MC Alert series MCA0150-US-09. They have not provided any information as to when they expect to have all their accounts released. The current window of exposure provided by both card associations is from February 2008 through January 2009. The only data elements at risk are account number and expiration date. No track data, PIN, CVV2/CVC2 data or cardholder-identifying information was captured. As in all events, it is the issuer’s decision whether or not a block and/or reissue decision is warranted. However, we would like to emphasize that this event carries a lower level of risk than the Heartland compromise.

Please keep in mind that it is likely that your specific credit union will not receive accounts on all lists. If you do not receive a particular list in the series, it simply means that you had no accounts involved. It is also important that you review the details on each alert, as additional information may be provided that is specific to those accounts. These details may help you in determining how to handle those particular accounts.

If your credit union has accounts that were involved in this compromise event, you will be notified through MasterCard Alerts and/or Visa CAMS. Principal and Associate members receive these alerts directly through MasterCard and Visa. All others will receive their alerts from FIS through E-Reports. FIS is processing these alerts as quickly as they can.

As with all alerts received from the Card associations, you should maintain all documentation relevant to these accounts and any actions you take on these accounts to enable you to file a fraud case or a claim for reimbursement in the event fraud does occur and the event becomes eligible. Feel free to call your Credit Union Representative with any questions you may have.

Sorry, the comment form is closed at this time.