The Global Payments breach could have persisted for eight months.
As reported in April, Visa and Mastercard said they became aware of a potential data compromise at a third party affecting credit-card account information from all major card brands; the blame was eventually placed on Atlanta-based Global Payments.
According to security blogger Brian Krebs, who originally broke the story, the impact was at first believed to have occurred between 21 January and 25 February 2012, but subsequent alerts sent to banks have pushed that exposure window back to December, August or even June 2011.
He said: “Security experts say it is common for the tally of compromised cards to increase as forensic investigators gain a better grasp of the extent of a security breach. But so far, Global Payments has offered few details about the incident beyond repeating that fewer than 1.5 million card numbers may have been stolen from its systems.”
Global Payments "sincerely apologised" for any concern that the incident has caused and said that it continues to work with industry third parties, regulators and law enforcement to assist in all efforts to minimise cardholder and customer impact.
It has also confirmed that "some card brands" have removed it from their lists of PCI-compliant processors after the data breach last month.
A statement on its website said: “Based on our announcement of unauthorised activity in a limited segment of our North American processing system, some card brands removed us from their list of PCI-compliant service providers.
“They have requested we revalidate our PCI status, which we will do following the current investigation. We anticipate that we will be reinstated to those lists at the conclusion of the revalidation and any required remediation.”
However, this does not stop Global Payments from processing transactions for the brands, and it said that it will continue to process transactions for all card brands.