By Lauren Tara LaCapra and Carrick Mollenkamp
(Reuters) - The U.S. Secret Service is investigating a major cyber intrusion at an Atlanta-based payment processor that could expose millions of MasterCard, Visa, American Express and Discover cardholders to fraudulent charges.
Processor Global Payments Inc said on Friday it had found "unauthorized access" into its system early in March and notified law enforcement and financial institutions.
Payment network operators MasterCard Inc, Visa Inc, American Express Co and Discover Financial Services confirmed they were affected, along with banks and other franchises that issue cards bearing their logos.
A spokesman for the Secret Service said the agency is leading investigations into the case but declined to give any details.
Though Global Payments is far from a household name, middlemen such as the company are prized targets for hackers because of the vast amount of sensitive financial information they handle.
The company's stock fell more than 9 percent on the news before trading was halted. It said it would discuss the breach in a phone call for investors on Monday.
It was not immediately clear how Global Payments was penetrated or how many accounts were exposed. Consumers who detect fraud usually can be reimbursed. That leaves merchants on the hook financially, though they could file claims against Global Payments.
Analysts said MasterCard and Visa are unlikely to face costs from the breach, but MasterCard shares fell 1.8 percent to close at $420.54 and Visa shares dropped 0.8 percent to $118.
The security breach is just the latest in a long string of incidents that have put the personal information of millions of credit and debit cardholders at risk.
Individual banks and processors said they had not yet determined the full extent of the breach, but the blog Krebs on Security, which first reported the breach, said it was "massive" and could affect more than 10 million cardholders.
Some industry experts suggested the figure might be much lower, perhaps on the order of tens of thousands. Bernstein Research analyst Rod Bourgeois noted that Global Payments is a relatively small player in the transactions services industry, servicing 800,000 merchants with a 3.5 percent market share. By contrast, the largest competitor, First Data, services millions of merchants, with 22.6 percent of the market.
JPMorgan Chase & Co, as well as American Express and Discover, which issue their own cards, said they are monitoring customers' accounts and would issue new cards to anyone whose information may have been compromised.
Citigroup Inc said it has been notified by processors of the breach. Bank of America Corp declined to comment on the matter and Wells Fargo & Co said it was too early to comment on the impact.
Banks and processors emphasized customers would not be held liable for any fraudulent charges that may occur.
Michael Simonsen, chief executive of real-estate research company Altos Research, said he may have been a victim.
Simonsen said he was contacted by Bank of America last week about his Visa card. Although there were no unauthorized transactions, the representative told him a vendor or law enforcement agency had flagged his account as compromised and so he would receive a new one.
"It was very unusual," he said.
Global Payments, which has about 3,700 employees, was spun off from information-services firm National Data Corp in 2001. For the fiscal year ended May 31, Global Payment reported revenue of $1.9 billion, up 13 percent from the year-earlier period. According to a company presentation in January, it estimated fiscal 2012 revenue at about $2.15 billion.
Global Payments is scheduled to report fiscal third-quarter results on Wednesday and an improvement is expected. On Wednesday, Sterner Agee raised its stock price target for Global Payments to $65 from $58.
Global Payments is one of dozens of companies that operate along the payment-processing chain, between the time a person swipes a card to pay and the time the payment is delivered.
The account number, expiration date and possibly the cardholder's name is sent from the point of payment to a processor, which then connects to Visa, MasterCard, American Express or Discover. Information is then sent to the card issuer — often a bank — which ultimately authorizes the transaction.
The actual transfer of money occurs later.
Processing companies, which perform millions of authorizations each day, are supposed to encrypt card information. But a breach could occur if someone gains access to the system and identifies a gap in the encryption.
The information that was likely collected illegally from Global Payments is called Track 1 and Track 2 data. A person improperly using the information can transfer the account number and expiration date to a magnetic strip on a card and then try to use the card on a website.
Thousands of U.S. banks that issue credit and debit cards receive daily alerts regarding breaches, said Thomas McCrohan, an analyst with Jane Capital Markets.
The illegal use of the data could be stymied if an online merchant asks for the three or four digits printed on a card known as the "CV code."
"The systems can all be made tighter, but if they're too tight no transactions would ever be approved," said Edward Lawrence, a director at Auriemma Consulting Group, a payment systems consultant. "You still have to allow commerce to occur."
Rep. Mary Bono, a California Republican who chairs the House Subcommittee on Commerce, Manufacturing and Trade, condemned the Global Payments breach and urged Congress to adopt stronger data-security legislation this year.
"You shouldn't have to cross your fingers and whisper a prayer when you type in a credit card number on your computer and hit 'enter,'" she said in a statement.
The breach is the first major instance this year of consumer information put at risk by technological flaws or hacking, but there are plenty of examples of massive data breaches in recent years affecting banks, retailers, technology companies and payment processors.
Last June, Citigroup said computer hackers breached the bank's network and accessed data of about 200,000 cardholders in North America.
Sony Corp also reported several recent attacks, including one last year in which hackers accessed the personal information on 77 million PlayStation Network accounts.
Google Inc suffered a major attack on its Gmail accounts in 2011 that it said appeared to originate in China. Attacks against Gmail users involved direct attempts to compromise accounts by tricking users into revealing information - so-called "phishing" - or by gathering their passwords from other websites, rather than compromising Google systems, according to the company.
Separately, TJX Co Inc and Heartland Payment Systems Inc have had their systems compromised.
On Friday, retailers were already beginning to look for fraudulent purchases from the compromised card accounts stemming from the Global Payments breach. They will bear the financial brunt of those crimes under rules worked out with the card associations and issuers, analysts said.
"Our merchant community is sitting here girding itself and looking at their own fraud-prevention strategies and bracing for the influx of bad transactions," said Tom Donlea, managing director for the Americas at the nonprofit Merchant Risk Council. "After Heartland and after the Sony breach, there was an increase in fraud activity."
(Reporting by Lauren Tara LaCapra, Carrick Mollenkamp and Jed Horowitz in New York, Joseph Menn in San Francisco, Ben Berkowitz in Boston, and Rick Rothacker in Charlotte, North Carolina; writing by Lauren Tara LaCapra and Joseph Menn; editing by Gerald E. McCormick, Andre Grenon, Phil Berlowitz and Richard Chang)