Heartland Payment Systems says it has found malicious software in its processing system, potentially compromising the card data of millions of people.
In a statement, the US payments processor says the malware, planted last year, has compromised data that crossed its network. Credit card numbers and expiration dates have been exposed, the firm's president, Robert Baldwin, told reporters.
The company has not revealed how many people are at risk or precisely how long the malware was in its computer system. However, according to its Web site, Heartland serves more than 250,000 businesses around the country and handles over four billion transactions a year.
The intrusion was uncovered last week by an investigation conducted by forensic auditors who were bought in after Visa and MasterCard warned of suspicious activity surrounding processed card transactions.
Baldwin says the company understands the breach "may be the result of a widespread global cyber fraud operation".
The firm says no merchant data or cardholder social security numbers, unencrypted PINs, addresses or telephone numbers were involved in the breach.
Federal law enforcement officials and the card firms have been informed and a Web site has been set up for concerned cardholders. Customers are also being advised to examine their monthly statements closely and report any suspicious activity to their card issuers.
The firm will now roll out a programme to "flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals".
The Heartland breach comes just weeks after CheckFree's electronic bill payment site was compromised, with criminals redirecting user traffic to a bogus malware site. The firm has warned around five million customers that their data may be at risk.
In 2007 over 94 million Visa and MasterCard accounts are estimated to have been exposed to fraudsters in the security breach at US retailer TJX.