Sure You Know Who's Processing Your Payment Cards? $45 Million Breach Says Maybe Not

A February payment-card breach at U.S. card processor EnStage allowed thieves to steal $40 million, the company acknowledged over the weekend. EnStage, which is based in Silicon Valley but outsources its processing to a site in India, confirmed the breach and said it is investigating, the Indian Business Standard reported on Sunday (May 12).

Last week, U.S. prosecutors unsealed indictments that revealed an international ring in which cyberthieves broke into two card processors and raised the withdrawal limits on several prepaid debit-card accounts. Thieves armed with counterfeit ATM cards were then able to steal $5 million from one bank in December and $40 million from another bank in February.

The Indian Computer Emergency Response Team said on Sunday that it is investigating technical aspects of the breaches, Reuters reported.

The Indian processor breached in December, ElectraCard Systems, implied over the weekend that its PCI certification had been revoked after the $5 million theft. EnStage hasn't mentioned its PCI status in the wake of the $40 million theft.

While the thefts don't directly affect any retailers, the fact that it's difficult to get clear answers from the processors makes it much harder to gauge the breaches' impact. For example, EnStage offers merchant acquirer services for prepaid debit cards. However, it apparently does this as an outsourcer for merchant acquirers that want to offload the handling those cards to a third party. As a result, there's no easy way to tell how many retailers' processing might be in EnStage's hands.

Two things are clear from this breach scenario. One is that card processing is increasingly outside the control of merchants. You think you know who's doing the work, but that may not be the case if your processor has outsourced it to someone else. (Customers, of course, will still blame the retailer who handled the card if anything goes wrong.)

It's also clear that retailers should really get under the protection of the Visa (NYSE:V) and MasterCard (NYSE:MA) liability shift as soon as possible. As the processing business becomes increasingly a black box, where merchants have no idea whose systems card data may be passing through, shifting financial liability to someone else in the payments chain looks increasingly attractive.

For more:

- See this Business Standard story
- See this Reuters story

Related stories:

Was Your Card Processor The One Hit In A $40 Million Breach?
C-Store Chain Mapco Express Hit With Remote Access Breach
Teavana Data Breach Fuels Gift Card Buys At Target