Hacker forces some banks to cancel Visa debit cards

Several banks in the Washington D.C. area have been forced to cancel and reissue thousands of Visa debit cards after a hacker allegedly intercepted a file containing purchase data from a local online merchant.

First Virginia Banks Inc. in Falls Church, Va., this week began notifying 500 of its customers that their card numbers and expiration dates, telephone numbers and addresses had been compromised. Likewise, Atlanta-based SunTrust Banks Inc., which has branch offices in northern Virginia, Washington and Maryland, also began monitoring several customer accounts that may have been compromised.

This comes two weeks after Washington D.C.-based Riggs Bank on Aug. 21 sent letters to 3,000 of its customers informing them that a local online merchant’s customer database containing their Visa debit card numbers had been hacked into and compromised. Officials at First Virginia, Riggs and Visa declined to name the merchant where the customer data originated.

All the payment data belong to customers who had made purchases at an online merchant in the Washington area. However, Visa declined to say whether the data was taken directly from a system belonging to the merchant or from one of the many companies that process electronic payments between online retailers and Visa.

In a written statement, Visa characterized the incident as “a potential compromise of cardholder data stored on a third party’s computer.” Visa alerted various banks in the area “as a precautionary measure so that these banks may take the appropriate steps to protect cardholders whose data may have been compromised,” the statement said.

Rick Bowman, chief financial officer at First Virginia, said his bank has “no way of knowing which merchant it is that had their database hacked. Visa does not disclose that information.” Bowman said First Virginia receives similar alerts about once every six weeks and often has to issue new cards to customers.

A Riggs official who spoke on condition of anonymity, said, “It would not be fair to identify the merchant,” because the matter is still under investigation by the FBI and the incident could have been the result of security holes at one of several third-party companies that process Visa transactions.

To date, there is no evidence of fraud stemming from the compromise, the official said.

Carolyn Gosselin, a spokeswoman for SunTrust Banks, said security officials at the bank are “monitoring a few accounts that may have been in contact with the merchant.” So far, SunTrust hasn’t uncovered any fraudulent activity that would force the bank to reissue cards to all of its customers in the area, she said. “We hope not to have to do that.”

Because Visa debit cards are linked directly to customer checking accounts, officials at both First Virginia and Riggs are urging users to destroy their cards and inspect their next bank statements carefully. A security official at First Virginia told customers that the merchant would be notifying them of the incident by e-mail “within a couple of days.”

News of the incident comes as Foster City, Calif.-based Visa on Sept. 4 announced its new Visa Authenticated Payment system, which is designed to help online merchants conduct real-time verification of the identities of online shoppers.

As of June 1, Visa required e-merchants to post their privacy policy and transaction security capability on their Web site so that cardholders know what type of protections are in place when they shop online.

Visa has also put in place a requirement, effective Jan. 1, 2002, that online merchants who accept Visa credit or debit cards offer encryption protection to cardholders during their online purchase. Any e-merchant participating in Visa Authenticated Payment satisfies this requirement.

In May, Visa inked deals with three of its top member banks – First USA Bank NA in Wilmington, Del., FleetBoston Financial Corp. in Boston and Providian Financial Corp. in San Francisco – to sign on to the Verified by Visa program. Visa said it expects to eventually win over all 14,000 of its card-issuing banks.

Mike Yakel, vice-president of Visa USA’s e-Visa division, said all online payment transactions go through “an acquirer,” or third-party payment vendor, that submits the purchase from the merchant to the Visa system over the Internet. There are about 50 to 100 companies nationwide that provide payment services, including Certegy (previously known as Equifax Payment Services), First Data Corp., Global Payments Inc., Total System Services Inc. and Vital Processing Services.

“Because the Internet is an open network, there is far more potential that the data could be accessed by somebody,” said Yakel.

However, banks that issue cards and sponsor payment vendors to become part of the “Verified by Visa” initiative also assume liability and have a responsibility to prevent security breaches from occurring, said Yakel.

“At the end of the day, the consumer information is being conveyed over an open network,” he said. “That is the problem.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Previous article
Next article

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now