Information Security

Merchants

Global Payments continues to process transactions for all major credit and debit brands with the same high level of service you have come to expect.

In June 2012, the company announced that its data intrusion investigation revealed potential unauthorized access to personal information collected from a subset of merchant applicants. It is unclear whether the intruders looked at or took any personal information from the company’s systems; however, potentially-affected individuals were notified with helpful information including the availability of credit monitoring and identity protection insurance at no cost.

We sincerely apologize for any concern this may have caused you.

Frequently Asked Questions

Why did the company release additional information on June 2012?
In early March 2012, Global Payments immediately engaged external experts in information technology forensics and contacted federal law enforcement after learning of potential unauthorized access into its processing system. At the time of our initial release, we did not know of the potential access to personal information of a subset of merchant applicants, or we would have announced it then. When we learned of it and determined that the information was sound, we announced it.

Did the intruders operate at the Global Payments enterprise or at the merchant level?
This situation only involved systems at Global Payments and did not involve merchant systems, our partners or banks. Merchants do not need to change their points of sale or other systems to continue processing transactions through Global Payments. There is no operational impact to merchants, their partners or the merchants’ relationships with their customers.

Could the unauthorized activity have occurred through an Independent Sales Organization (ISO)?
Our investigation indicated that this incident involved only systems at Global Payments. This incident did not involve systems operated or maintained by third parties, including ISOs.

Can I continue to accept credit card transactions processed by Global Payments?
Yes. We are processing all of your transactions as usual and will continue to do so.

Do I need to switch to another credit card processor?
No. We are processing all of your transactions as usual and will continue to do so.

What is PCI-DSS compliance?
It refers to Payment Card Industry Data Security Standard, and all processors undergo an annual PCI compliance renewal process.

Why have card brands removed you from their list of PCI Compliant Service Providers?
This is not unexpected after a security incident. Based on our announcement of unauthorized activity in a limited segment of our North American processing system, some card brands removed us from their list of PCI compliant service providers. They have requested we revalidate our PCI status. We hired a Qualified Security Assessor (QSA) to conduct an independent review of the PCI compliance of our systems. We have essentially completed our remediation work and the required documentation is in the process of being provided to the QSA for verification. This verification will allow the networks to evaluate the results and return Global Payments to the list of PCI compliant service providers once the results are accepted.

Can you continue to process transactions?
Yes. Global Payments continues to process transactions for all card brands with the same high level of service our customers have come to expect.

When will Global Payments be reinstated to these PCI-DSS lists?
We hired a Qualified Security Assessor (QSA) to conduct an independent review of the PCI compliance of our systems. We have essentially completed our remediation work and the required documentation is in the process of being provided to the QSA for verification. This verification will allow the networks to evaluate the results and return Global Payments to the list of PCI compliant service providers once the results are accepted.

If a merchant processes with Global Payments, does it affect the merchant's PCI status?
No. Acquirers and merchants can continue to process transactions through Global Payments while the company works to revalidate its PCI-DSS compliance. Processing transactions through Global Payments will not cause otherwise compliant merchants to be subject to non-compliance fines or assessments if all other standing PCI-DSS requirements have been satisfied.

Global Payments says a subset of the company’s U.S. merchant applicants were potentially-affected; does this affect merchant applicants located in Canada?
Based on the investigation, merchant applicants outside the United States were not affected.

Will Global Payments introduce new security measures as a result of this incident?
Yes. The security of the transactions we process has been and remains critically important to Global Payments. We have significantly enhanced our hardware and software systems, network monitoring and security procedures.

What is Track 1 and Track 2 data?
Track 1 data contains alpha-numerical information such as cardholder names, addresses and social security numbers, whereas Track 2 data includes only numerical card information.

May I obtain a list of my customers who may be part of the card numbers stolen?
We have provided this kind of information to the appropriate card brands, so the issuing financial institutions can assist cardholders if necessary. If cardholders have concerns, they should contact their issuing banks or institutions.

What more can merchants do to protect themselves from fraud?
For information on how to protect your business, visit the Security Cardholder Account Information – Industry Regulations and Merchant Obligations section of our website at http://www.globalpaymentsinc.com/USA/customerSupport/industryInit.html.

 

As of January 9, 2013

© 2012 Global Payments Inc. All rights reserved.