Visa has confirmed that recent mass credit-card account cancellations at Westpac are related to a data tape theft in late May.
But just which payment gateway or third party vendor lost the tapes remains a mystery. So too does the extent of the security breach and how many card accounts have been affected.
Pauline Hayes, corporate relations manager at Visa International - Australia and New Zealand confirmed the data tape theft to eCommerce Report by email earlier this week.
"In response to your question about the recent article about Westpac - as I outlined, an investigation into the theft of data tapes on May 25 is ongoing and therefore we cannot comment further on this matter."
The article she was referring to appeared in the Sydney Morning Herald on July 19 and reported that Westpac had been cancelling Visa cards.
Westpac's cards partner, Virgin Money, was also cancelling MasterCards just a week later, as ZDNet reported on 24h July.
None of the three other major banks contacted by eCommerce Report said they've been cancelling cards recently.
NAB, however, confirmed it had been notified of a potential card security problem.
"We haven't had to cancel any cards like Westpac" said NAB spokeswoman Rebekah Niles.
But she added that "We have been made aware of a potential data compromise and identified any card numbers that could be involved. We've escalated those numbers for closer examination in our fraud monitoring system."
ANZ and Commonwealth Bank spokespersons denied cancelling any cards recently.
So just why Westpac views the security breach as more serious than do its competitors, indeed so serious as to start cancelling cards, is not yet clear.
Certainly Westpac is very definite that none of its systems were at fault.
"…[T]he card data compromise which has impacted Westpac and Virgin cards relates to transactions that have occurred with a third party vendor who uses a payment gateway provided by one of the other major banks…" said Jane Counsel, Westpac's senior media relations manager.
Of course, none of the major banks these days provide or run their own payment gateway, at least not for processing credit-card payments at online merchants.
Like Westpac, the other three major banks all refer Internet merchants to specialist payment gateway service providers such as Securepay, eWay, Dialect Solutions and their innumerable re-sellers.
But in turn, these companies connect to the banks through gateways provided by only one of three providers.
At the NAB, which recently stopped selling its National Secure Internet Payment Service (NSIPs), all the internet payment gateways send transactions into their bank's systems via a gateway connection provided by either Quest (branded in the marketplace as Interpay), Dialect ( known as MIGS or the Mastercard Internet Gateway Solution) or the US owned First Data International.
So whereas Westpac's spokeswoman is pointing the finger at another bank's gateway, (which may or may not be accurate) that still leaves a large number of potential candidates.
* Stewart Carter is editor of industry newsletter
The eCommerce Report
mail@ecommercereport.com.au