VISA and MasterCard have alerted U.S. banks about a recent major breach at a U.S.-based credit card processor, which may involve more than 10 million compromised card numbers.
Security blog KrebsOnSecurity, which first reported the story,said that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts sent to the banks also reportedly said that the stolen data was enough to be used to counterfeit new cards.
VISA confirmed the breach: "Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet.
Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.
It?s important for U.S. Visa consumer cardholders to know they are protected against fraudulent purchases with Visa?s zero liability fraud protection policy, which exceeds federal safeguards. As always, Visa encourages cardholders to regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity. Additional consumer security tips are available at www.VisaSecuritySense.com.
Mastercard said: "We are concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information.
"If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution."
Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. Reports suggested the stolen details had been obtained in New York.
Gartner analyst Avivah Litan says that that the crime was perpetrated by a Central American gang that broke into the company?s system by answering the application?s knowledge based authentication questions correctly.
After the initial report, the Wall Street Journal quoted its own industry sources as saying card-processing firm Global Payments was the company that suffered the breach