Last Friday, I was reading my daily dose of Brian Krebs’ blog, KrebsOnSecurity.com, and read his story about a company called Global Payments Inc. being hacked. He didn’t name the company on Friday, the Wall Street Journal did later in a story. Either way, we now know the company’s name now.
Global Payments Inc. is a credit card payment processor, or “acquirer”, or “merchant acquirer” in industry terms. Firms like this are basically middle men between the various retail or other business establishments who take credit cards and the banks who issue them. The credit card industry has layers. Banks issue credit cards to the people. The people want to use their cards to buy things, so retailers set up accounts with “acquirers” in order to be able to take credit cards. Visa runs a particular network, VisaNet, that ties all these different entities together.
When you use your credit card, you are essentially saying, “I promise to pay my bank back.” You are promising to pay your bank back because it’s actually the bank who is going to pay the business where you used your card. Now the bank can’t be going all over the world trying to pay all the places where you used your card. Well, I suppose they could, but they don’t. Enter the next layer…the acquiring bank, and in this story, the breached entity.
The acquiring bank spends their time setting up merchant contracts with the various entities that would like to accept credit cards. They then handle the mundane task of collecting money from your bank in order to pay the merchant, minus a small fee of course.
The only real role that Visa or MasterCard or American Express (the credit card “brands” if you will) play is to facilitate communications amongst the relevant parties. Of course they’d tell you that it’s their brands that make the whole non-cash world go. And to some extent, they are correct. When your card is swiped VisaNet sends a message to the bank asking if it’s ok to use your card, VisaNet is also equipped to answer that question if the bank doesn’t answer fast enough. (remember, you’re standing there hoping you paid your last bill…waiting for that machine to answer)
To complicate matters further, there can be yet another layer between the actual store wishing to take credit cards and the acquirer. Because it’s not relevant to this discussion, I will leave a full credit card industry analysis for another day. Suffice to say that if there is a way to make money in the credit card industry, the companies have figured it out.
This particular acquirer is rather large. Most are. They make a very little on individual transactions so they need lots of transactions to make real money. Global Payments makes real money. They are a public company listed on the New York Stock Exchange. Take a look at this graph which shows Global’s stock price, before, during and after they announced the breach. (GRAPH)
The loses piled up so fast, that NYSE halted trading of Global’s stock around noon time on Friday. In the wake of the announced breach, VISA announced that they would be dropping Global as a processor. Well, not exactly “dropping” them apparently, but rather delisting them from a “registry” of processors (acquirers, merchant acquirers, etc) who meet certain data security requirements. You see, VISA, MasterCard and the rest of the “brands” hold all the cards. They get to decide who is a processor, and more importantly, who is not. Or in this case, who is on the good list and who is on the naughty list. Very Santa-ish of them.
The number of credit card numbers stolen in this breach is either unknown, still being established or being “managed” in order to do the least damage. Global says that “less than 1.5mil had been ‘exported’.” Interesting choice of words. Please check out Brian Krebs story on that issue here. This company probably processes(ed?) billions of transactions a day… will they ever know what was actually taken?
All this matters because of the costs that come next. Let’s say it’s 2mil cards lost. If each card costs say $3 to replace, that’s $6mil. Now say half of them want credit protection. At $6 per person that’s another $6mil. If Global loses business because Visa “delisted” them, that’s another cost (amount unknown). Don’t check my math, these are extremely rough numbers and every situation has different costs. I am confident that the costs will be profound however. Ponemon Inc. puts the average cost of a data beach at $214 per record. (x 1 mil? x 2 mil? x 10mil?)
And let’s not forget about that stock price graph I showed you. Global lost approximately 14% of their stock value. Based on what I know about their annual income, stock price and their market capitalization – (which is just about nothing) – I assume that 14% is a lot, a real lot of money.
A law firm, Levi & Korsinsky has announced that they are “investigating potential claims against the board of directors of Global Payments, Inc.”
If I own stock in a company and that company performs so poorly because of its management, I can sue the company – well, actually, I sue the Board of Directors on behalf of the company – you see shareholders own the company. I do not purport to be an expert on so-called Shareholder Derivative lawsuits, or Federal Securities class actions, but I do know that you’d be wise to hire a lawyer (or lots of them) if one of these showed up on your company’s doorstep. It looks like the folks over at Levi & Korsinsky are cooking something up.
In the wake of a data breach there are huge costs associated with the clean-up, notifications of affected parties, lost business or brand damage, litigation or potential litigation, regulatory action and other related costs. The down side here is pretty down.
But look on the bright side… a computer science degree is getting more popular by the day. You can be good or bad but definitely rich.
Dear Credit Card Industry:
I don’t really care if every credit card processor on the planet gets hacked. I simply would like to be assured that even if they do, the costs will not trickle down to me. I will participate in your cash-less society so long as these pesky data breach things don’t impact my bottom line. Please tell me the sky is not falling.
Signed, Concerned Customer
Dear Concerned Customer:
The sky is not falling. We are dedicated to providing the most secure environment for credit card transactions, but alas our world is awash with a certain element intent on hurting our efforts. Since we are all in this world together, we must all share the costs. We will certainly do our best to make it seem like it’s not costing you anything, when in fact it is. You don’t really expect us to pay for these crimes, do you?
Signed, Anonymous (we pwned again!)