Bad news for merchants and shoppers alike: mobile payments provider CHARGE Anywhere LLC has revealed that it suffered a malware attack on its electronic payment gateway systems that lasted for five years, putting cardholder names, account numbers, card expiration dates, and verification codes at risk.

Having been “asked to investigate fraudulent charges that appeared on cards that had been legitimately used at certain merchants”, CHARGE Anywhere found that malware capable of capturing segments of network traffic – i.e. cardholder data – had been present on its networks since November 2009.

Although the company only identified “files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014”, payment cards used between November 5, 2009 and September 24, 2014 could have been affected.

According to CHARGE Anywhere’s statement, “The attack has been completely shut down and fully investigated” and the malware has been “completely eradicated” from the company’s systems.

How do you know if you’ve been affected?

CHARGE Anywhere says it has been “working with the credit card companies and processors to provide them with a list of merchants and the account numbers for cards used during the period at issue so that the banks that issued those cards can be alerted”.

Rather than issue a full list of affected merchants, however, CHARGE Anywhere has instead provided a searchable database: https://www.chargeanywhere.com/notice/search.aspx.

While this facility will help merchants to determine whether their customers suffered as a result of any data loss, the customers themselves remain in the dark. Unless you’ve kept a record of every card transaction you’ve made in the last five years, you have no way of knowing if your card data has been lost until you suffer unauthorized activity on your card. If that does happen, CHARGE Anywhere advises you to contact your bank, noting that “credit card companies typically guarantee that cardholders will not be responsible for fraudulent charges”.

Merchants that store, transmit, or process cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS). For more information on the Standard and the products that can help your organization comply, please see our main website >>

****

To keep up to date with the latest news on data breaches, cyber attacks and cyber security best practice, subscribe to our Daily Sentinel.