Security blogger Brian Krebs this morning broke a story that Visa and Mastercard have begun sending alerts to banks about a major breach at an unnamed payment card processing firm.
Visa and MasterCard have acknowledged the breach, and the Wall Street Journal is now reporting that the processor is Atlanta-based Global Payments.
Krebs told Technology Live that Global Payments is expected to issue a statement today.
"Law enforcement asked everyone to keep it quiet so as not to disturb investigations," Krebs says. " I'm hearing now from two sources that investigators suspect Dominican street gangs may be involved and that the fraud is focusing mostly on commercial credit and debit card accounts."
Credit card processors have been breached before -- Heartland Payment Systems lost 130 million payment card records generated by 250,000 merchants and restaurants in 2008.
But the stakes are much higher this time around, especially for retailers. Some 46 states have now enacted data breach disclosure laws that require merchants and payment card issuing banks and credit unions to notify customers whose card numbers are stolen.
Many of these data loss disclosure laws impose stiff fines if notifications are not done in a timely manner. Massachusetts recently showed that such fines can generate much needed revenue, while also championing consumer privacy and security, says Ted Julian, of Co3, a Cambridge, Mass.-based start-up that helps retailers manage the repercussions of credit card theft.
Depending on the scale of the Global Payments breach, which has not been disclosed, states could see a windfall in fines levied against merchants and card-issuing banks and credit unions who are slow to notify consumers that their credit or debit card number is in criminals' hands. Co3 has just sent out analysis conveying the hypothetical case of one merchant losing the payment card numbers of 1 million customers dispersed in 10 states. If that company failed to meet all 10 disclosure requirements, it would face $1.6 million in fines, Julian says.
"Merchants are definitely on the hook for these state disclosures, because they are the ones who have the consumer relationship," Julian says.
Gartner banking security analyst Avivah Litan says her sources "are seeing signs of this breach mushrooming. From what I hear, the breach involves a taxi and parking garage company in the New York City area so if you've paid a NYC cab in the last few months with your credit or debit card – be sure to check your card statements for possible fraud."
Litan also is hearing about a Central American connection. Unverified reports, she says, point to a "Central American gang that broke into the company's system by answering the application's knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently."
Update at 1:40 p.m ET This statement just issued by Visa's Maria Hatzikonstantinou: "Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet. Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards. .. Every business that handles payment card information is expected to protect the security and privacy of their customers' financial information by adhering to the highest data protection standards. "
Update at 1:58 p.m. ET Mastercard earlier today issued a similar statement saying it is "concerned wehnever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information. If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution."