–Company says it has given larger number of card numbers to card brands for monitoring
–Company continues to believe no more than 1.5 million card numbers were exported
–Personal information of prospective merchant clients may have been accessed
(Adds CEO comments and details beginning in first paragraph.)
Global Payments Inc. GPN +0.02% , which disclosed in late March that its North American processing system was hacked, said Tuesday personal information of merchants may also have been accessed.
Its investigation “recently revealed potential unauthorized access to servers containing personal information collected from a subset of merchant applicants.”
The Atlanta-based payments processor, which handles credit and debit card transactions for retailers and banks, disclosed the information after market close Tuesday.
“This is a database of individuals who have applied to process transactions with us,” Paul Garcia, chairman and chief executive of Global Payments, said during a conference call.
The information was for new as well as past applicants and pertained to “primarily small merchants,” he said, adding that the company has contained the situation.
It is unclear whether the information was actually viewed or taken from the company’s system, he said. Global Payments plans to notify individuals who were potentially affected in the coming days and offer credit monitoring and identity protection insurance to them for free.
The disclosure is the latest blow for Global Payments, one of the largest processors of card transactions. In late March, it said it identified and self-reported a breach of its North American processing system that exposed up to 1.5 million card accounts, potentially affecting cards from Visa Inc. V -0.22% , MasterCard Inc. MA +0.43% , American Express Co. (AXP) and Discover Financial Services (DFS).
Analysts peppered executives with questions over the size and scope of the latest disclosure, though the company gave little specific information about the incident or how it occurred.
Visa and MasterCard have since removed Global Payments from their lists of approved third-party vendors that meet their security standards, though it continues to be able to process transactions for the card brands.
Global Payments hired a company to assess the security of its systems, a required step to get back into compliance with the credit-card companies requirements, Garcia said.
It continues to believe the number of card numbers “exported,” or taken, from its system didn’t exceed 1.5 million, though it has given a larger number of card numbers to the credit-card brands for monitoring purposes, the company said Tuesday.
Information accessed included card numbers and other details that can be used to create counterfeit cards but didn’t contain cardholder names, addresses or Social Security numbers.
Global Payments was the nation’s seventh-largest “merchant acquirer” in the U.S. last year, according to the Nilson Report, a newsletter in Carpinteria, Calif., that tracks the payments industry. Global Payments handled $120.6 billion in Visa and MasterCard card volume last year, according to the newsletter.
Its shares closed up 0.8% at $42.19 Tuesday and fell 0.2% in after hours trading.