Visa and MasterCard, the nation’s largest payment processors, said Friday that they were investigating a possible security breach at a third-party vendor to determine whether data thieves had gained access to credit card holders’ personal information.


An official at one major American bank, who declined to be identified because the investigation was at an early stage, estimated that one million to three million cardholders could be affected. That does not mean all those cards were used fraudulently, but that credit card information on the cardholders was exposed.


The official identified the third-party vendor as Global Payments in Atlanta, an intermediary between merchants and card processors. After the possible breach was reported by a blog called Krebs on Security, trading in Global Payments shares was halted. The share price had dropped 9.1 percent to $47.50. 


Global Payments did not return calls seeking comment. The Krebs blog said the incident occurred between Jan. 21 and Feb. 25.


MasterCard would not say how many cardholders might have been affected by the attack. The card companies said they had alerted banks and law enforcement officials to the breach, and emphasized that their own systems had not been compromised.


“We have alerted payment card issuers regarding certain MasterCard accounts that are potentially at risk,” MasterCard said in a statement. A Visa representative said that “there has been no breach of Visa systems.”


The Secret Service said it was investigating the incident.


The bank official said that Visa and MasterCard notified his company on Thursday, but that banks had been frustrated with the pace of disclosure by Global Payments. He said they had provided little information on where the breaches took place, how accounts were hacked and other details that might indicate which customers might be vulnerable.


“You can understand common places where cards are used,” he said. “But we haven’t gotten that.”


The investigation by the card companies highlights concerns about the vulnerability of electronic financial data particularly as banking customers migrate to mobile payments.


As financial services companies have improved security over the past year, criminals have aimed at a specific part of the credit card system: the payment processors that act as a bridge between banks and retailers. Security consultants say that the sophistication of these attacks is increasing, holding the potential for a growing wave of attacks intended to grab valuable financial data.


“Hackers are well aware that these systems don’t have the same sophisticated levels of security as the banks,”said Tom Kellerman, a vice president at Trend Micro, a computer security company. “The payment processors have become their Achilles’ heel.”Last year, hackers attacked Citigroup, capturing names, account  numbers, e-mail addresses and transaction histories of thousands of customers.


The attack was aimed at a third-party vendor that processed credit and debit card payments for retailers and merchants. Such vendors have been a favored target of hackers because they are a repository for rich veins of cardholder data.


The latest episode is reminiscent of a breach at Heartland Payment Systems that began in 2007 but was not fully discovered and disclosed until 2009. In that case, hackers are estimated to have stolen 130 million consumer credit card records. Heartland estimated that the breach cost it $140 million in fines, settlements and legal fees.