Visa, Mastercard and Discover have warned that credit card holders’ personal information could be at risk after a security breach.
The firms said there had been “no breach” of its own system, instead blaming a third party.
Security blog KrebsOnSecurity, which first reported the story, said industry sources believed more than 10 million cards may have been compromised.
Reports suggested the stolen details had been obtained in New York.
The Wall Street Journal quoted its own industry sources as saying card-processing firm Global Payments was the company that suffered the breach. Shares in the company fell by more than 9% on Friday.
Global Payments has not responded to requests for comment.
None of the three companies, which are the three of the largest credit card processors would confirm how many customers were affected.
Visa and Mastercard, also used for debit cards of major US banks, said they had notified banks of the breach.
Discover Financial Services said it was monitoring accounts and would reissue cards if necessary.
In a statement, Mastercard said: “[We are] concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information.
“If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution.”
Visa echoed Mastercard’s statement, emphasising that its customers are not responsible for fraudulent purchases.
Gartner analyst Avivah Litan said she believed the breach was related to a taxi garage in New York City.