RealTime IT News

CardSystems May Close Doors

The credit card processor that exposed approximately 40 million records to possible identity theft is facing possible financial ruin.

After Visa and American Express canceled their contracts with CardSystems last week, the company's CEO told Congress the future is grim for the Atlanta-based firm.

Following the record hack in May, both Visa and American Express said they would terminate their relationships with the card processor effective Oct. 31, a decision CardSystems CEO John Perry told a House subcommittee last week he hopes to reverse.

"We are disappointed with these actions and, in light of our diligent efforts to remediate, hope that both Visa and American Express will agree to discuss their decision with us and reconsider, lest we be forced to permanently close our doors," Perry said.

MasterCard is giving the company until Aug. 31 to develop a detailed security upgrade plan.

"We are heartened that MasterCard recognizes that CardSystems is on the path to becoming fully compliant with the industry's data security standards," Perry said.

As recently as last year, a Visa audit of CardSystems found the company in compliance with the credit card giant's Cardholder Information Security Program (CISP). The audit -- conducted by Visa CISP security accessor Cable & Wireless -- determined there were no security deficiencies at CardSystems that were not covered by compensating controls.

Since then, however, the payment card companies developed new standards known as the Payment Card Industry Data Security (PCI). Based on Visa's CISP, the new standard was adopted by Visa, MasterCard, Discover, American Express and Diners Club.

Visa and MasterCard set a June 30 deadline for payment processors to be in compliance with the PCI standards. After the CardSystems breach, the companies gave CardSystems until Aug. 31 to meet the standards.

"CardSystems expects to be fully certified as compliant with the PCI standard requirements at that time [Aug. 31]," Perry said. "While MasterCard continues to indicate that our compliance will allow us to remain an approved processor, Visa has ... changed its mind and as of now plans to terminate us no later than Oct. 31."

The CardSystems breach exposed data, including holder names, banks and account numbers. No Social Security numbers, birth dates or personal information were stored on the accounts.

Perry testified that in September of last year, a hacker placed a script on the CardSystems platform through an Internet-facing application used by customers to access data. The script targeted particular file types and was scheduled to run every four days.

"As we have repeatedly acknowledged, our error was that the data was kept in readable form in violation of Visa and MasterCard security standards. As of May 27, 2005, track data is no longer stored by CardSystems," Perry said.

Perry testified that three files were illegally removed from the CardSystems' platform.

Of the three files, one was empty, one contained about 4,000 records and the third contained approximately 259,000 records. The total 263,000 records correspond to 239,000 discrete account numbers.

"So far, out of all of the account numbers that may have been affected, we have not been notified of any that have been used fraudulently," Perry testified. "As I have indicated, the security systems in place in the payment card industry are set up to ensure that minimum cardholder account information is provided to payment processors like us."

Perry added, "This also means that CardSystems has no access to the information which would provide us the means to directly monitor consumer fraud."