Another small detail or two on as-yet-unnamed processor breach
Still no real facts, but more hints of impact. This from the Community Bankers Association of Illinois (emphasis added by me):
(February 11,2009) Today, VISA announced that an unnamed processor recently reported that it had discovered a data breach. The processor’s name has been withheld pending completion of the forensic investigation. According to VISA officials, the breach affected all card brands. Evidence indicates that the account number, PAN and expiration dates were stolen. No cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers or other personal information were involved in the breach. VISA officials have indicated that the Account Data Compromise Recovery (ADCR) procedure will not apply to this event. The ADCR process is used exclusively for magnetic-strip data compromise events. An increase in card-not-present fraud suggests some BIN number have been targeted by criminals. CAMS reports were sent to banks beginning on Monday, February 9, 2009, and are expected to conclude by Friday, February 13, 2009. We have already heard from Illinois bankers that have been affected. VISA officials reported that while the number of accountholders affected is undetermined, it appears to be fewer than those affected by the recent Heartland Payment Systems breach, but a significant number nonetheless. And unlike the Heartland breach, where thieves also captured Track 2 data, officials reiterated that no personal information was taken in this most recent event. The status of the processor’s PCI compliance is unknown at this time. Bankers are encouraged to read their daily CAMS reports and monitor CVV responses. Issuers have chargeback rights. MORE TO COME….
So far, I haven’t found any updates subsequent to Feb. 13, but if any site visitor finds any, please let me know.
I freely admit my ignorance on the way things are done, but if banks were already reporting being affected by this breach by this February 11 posting, has anyone contacted the customers whose accounts were affected or is everyone just going to sit on this breach until the processor is ready to issue a public statement?