Meanwhile, Global Payments said that cardholders’ names, addresses and Social Security numbers were not obtained by hackers. The company says that only what’s known as Track 2 data (relating to the magnetic strip on the back of the card) was stolen–that is, the credit card numbers and their expiration dates.
“Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained,” Global Partners added.
However, it appears to be left to credit card-holding consumers to figure out their own potential exposure in the mess. The blogosphere is sparkling with speculation, but the facts are still sparse. Global Payments said Monday it is in the process of setting up a website to help consumers who might be affected.
What Makes It Complicated
A part of what it is difficult to determine exactly who might be affected stems from the complex nature of the credit card processing chain.
When you make a credit card purchase, you trigger a six-step process (PDF) that transmits information (1) from your credit card to the merchant making the sale; (2) from the merchant to an entity called a processor (or, in industry terms, an acquirer), in this case, a company like Global Payments; (3) from the processor to the issuer (your bank); (4) from the issuer back to the processor; (5) from the processor back to the merchant; and (6) you take your merchandise. Here’s a diagram that may help:
The part of the process that was breached was the step between the merchant and the processor; the former being a New York City taxi and parking garage company, according to Gartner analyst Avivah Litan. Global Payments apparently first identified the potential breach in early March, and the problem had been undetected for several months before that. Therefore, the pool of victims is likely to be those who used their debit or credit cards for transportation in the New York metropolitan area earlier this year.
Global Payments says that it believes 1.5 million card numbers may have been breached. Since apparently no customer names were associated with the data breached, this problem does not appear to involve identity theft. According to Census Bureau 2010 estimates, there are somewhere in the neighborhood of 181 million credit cards in the United States, so this breach could represent less than one percent of credit cards in use.
What Steps a Consumer Should Take
However, if you still think you might be part of this group, what can you do besides wait for your bank to notify you that you may be affected, based on current breach notification laws?
First, start monitoring your credit card statement (thank goodness for online banking) for unauthorized activity–though, given that the breach has been happening for a while–you may have already noticed something awry. Look for charges for items or locations you don’t recognize.
You can also place a fraud alert on your credit report (through credit reporting agencies like Experian) if you want. Here’s how Experian explains these alerts: “Fraud alert messages notify potential credit grantors to verify your identification before extending credit in your name in case someone is using your information without your consent.”
Finally, remember that both Visa and MasterCard offer what the companies call “zero liability” to the shopper for unauthorized credit card purchases.