News

Fallout from CardSystems breach continues

After the security breach at CardSystems, many who previously paid little attention to the card acquiring business are paying attention now.

August 21, 2005

This story originally appeared in The Green Sheet, Aug. 8, 2005, issue 05:08:01.

One thing to say about the security breach at CardSystems Solutions Inc.: Many who previously paid little attention to the card acquiring business are paying attention to it now.

Sen. Dianne Feinstein (D-Calif.), for example, is using the occasion of this well-publicized security breach to draw attention to legislation she introduced that would require companies to notify customers whenever a hacking incident may have compromised personal data.

What's Important Legislation in California would require companies to notify customers whenever a hacking incident may have compromised personal data. State and federal bodies are taking a legislative interest in credit card processing and data security. MasterCard is giving CardSystems until Aug. 31, 2006, to bring its operations into compliance.

"This incident is a clear sign that industry's efforts to self-regulate when it comes to protecting consumers' sensitive personal data are failing," Feinstein wrote in letters to executives at Visa USA, MasterCard International, American Express Co. (AmEx) and Discover Financial Services.

"The fact that hackers could have accessed data on up to 40 million accounts because of a processor's failure to follow your own established rules makes me question the effectiveness and ability of self-regulation by your industry."

Feinstein is one of about a dozen members of Congress who have introduced legislation setting national rules for consumer notifications in events like the CardSystems security breach.

On the other side of Capitol Hill, a subcommittee of the House Committee on Financial Services held hearings in July on credit card processing and data security. Among those called to testify were executives of CardSystems and MasterCard.

Visa, AmEx drop CardSystems; MasterCard doesn't

Meanwhile, Visa and AmEx have terminated CardSystems' status as an approved card processing agent. Visa's member banks have until Oct. 31, 2005, to transfer merchant customers to a different processor. AmEx is giving its merchants and issuing banks until an unspecified date in October.

"Despite some remediation actions taken by the processor since the initial reporting of the data compromise, Visa cannot overlook the significant harm the data compromise - and CardSystems' failure to maintain the required security protections - has had," Rosetta Jones, vice president, Visa USA said in a statement.

MasterCard, on the other hand, is giving CardSystems until Aug. 31, 2006, to bring its operations into compliance with MasterCard security requirements. Chris Thom, MasterCard's chief risk officer, said taking away CardSystems' right to handle MasterCard transactions wasn't warranted, since CardSystems corrected the problems that led to the breach.

"We've made sure they're not a risk, and we'll have them back and running with a fully certified security system by the end of August," Thom said.

Attorney Adam Atlas, who specializes in merchant services issues, said the moves by Visa and AmEx could have serious implications. Most of CardSytems' merchants are with Utah-based Merrick bank and total roughly 105,000. Atlas said it will be very difficult to place all these merchants with other banks and processors in the coming months.

"Visa is taking an unreasonable position," Atlas said. "They overreacted, and their proposed termination of CardSystems is going to cause more harm than good … to thousands of ISOs who sell the services of Merrick and CardSystems and the merchants who use those services."

CardSystems continues to move forward in rectifying its data security problems. The company hired AmbironTrustWave, a Chicago-based security management and compliance company to perform a Payment Card Industry Data Security Standard compliance assessment.