Four giant card-payment processors and large U.S. banks that issue debit and credit cards were hit by a data-security breach after a third-party services provider discovered its systems were compromised by unauthorized access.
It was not immediately clear how many cardholders became victims of the breach, which affected MasterCard Inc., Visa Inc., American Express Co. and Discover Financial Services, along with banks and other franchises that issue cards bearing their logos.
U.S. law enforcement authorities including the Secret Service are investigating, and MasterCard said it has hired an independent data-security organization to review the incident.
Shares of Atlanta-based Global Payments, which acts as a credit-checking middleman between merchants and card processors, were halted Friday afternoon after dropping more than 9 percent on the news.
Analysts said any financial losses from the data breach would be shouldered by merchants, card issuers and Global Payments rather than Visa or MasterCard, which operate payment networks.
Global Payments said it determined an unauthorized entity had accessed its systems and possible customer card data in early March. Krebs on Security, a blog that first reported the incident Friday, said accounts had been compromised for more than a month, between Jan. 21 and Feb. 25.
Global Payments is holding an investor conference call Monday morning to discuss the issue.
Individual banks and processors said they had not yet determined the full extent of the breach, but Krebs on Security described it as a “massive” breach that could affect more than 10 million cardholders.
Some industry experts suggested the figure might be much less, perhaps on the order of tens of thousands. Bernstein Research analyst Rod Bourgeois added that Global Payments is a relatively small player in the transactions services industry, servicing 800,000 merchants with a 3.5 percent market share.
JPMorgan Chase & Co. along with American Express and Discover, which issue their own cards, said they are monitoring customer accounts and would issue new cards to anyone whose information might have been compromised. Citigroup said it has been notified by processors of the breach. Bank of America Corp. declined to comment on the matter, and Wells Fargo & Co. said it was too early to comment on the impact.
Banks and processors emphasized customers would not be held liable for any fraudulent charges that could occur. Processing companies, which perform millions of authorizations each day, are supposed to encrypt card information. But a breach could occur if someone gains access to the system and identifies a gap in the encryption.