The credit card processor that exposed approximately 40 million records to
possible identity theft is facing possible financial ruin.
After Visa and
American Express canceled their contracts with CardSystems last week, the
company’s CEO told Congress the future is grim for the Atlanta-based firm.
Following the record hack in May, both Visa and American Express said they would terminate their relationships with the card processor effective Oct. 31, a decision CardSystems CEO John Perry
told a House subcommittee last week he hopes to reverse.
“We are disappointed with these actions and, in light of our diligent efforts
to remediate, hope that both Visa and American Express will agree to discuss
their decision with us and reconsider, lest we be forced to permanently close
our doors,” Perry said.
MasterCard is giving the company until Aug. 31 to develop a detailed security
upgrade plan.
“We are heartened that MasterCard recognizes that CardSystems is on the path
to becoming fully compliant with the industry’s data security standards,”
Perry said.
As recently as last year, a Visa audit of CardSystems found the company in
compliance with the credit card giant’s Cardholder Information Security
Program (CISP). The audit — conducted by Visa CISP security accessor Cable &
Wireless — determined there were no security deficiencies at CardSystems
that were not covered by compensating controls.
Since then, however, the payment card companies developed new standards known
as the Payment Card Industry Data Security (PCI). Based on Visa’s CISP, the
new standard was adopted by Visa, MasterCard, Discover, American Express and
Diners Club.
Visa and MasterCard set a June 30 deadline for payment processors to be in
compliance with the PCI standards. After the CardSystems breach, the companies
gave CardSystems until Aug. 31 to meet the standards.
“CardSystems expects to be fully certified as compliant with the PCI standard
requirements at that time [Aug. 31],” Perry said. “While MasterCard continues
to indicate that our compliance will allow us to remain an approved
processor, Visa has … changed its mind and as of now plans to terminate us no
later than Oct. 31.”
The CardSystems breach exposed data, including holder names, banks and account
numbers. No Social Security numbers, birth dates or personal information were
stored on the accounts.
Perry testified that in September of last year, a hacker placed a script on
the CardSystems platform through an Internet-facing application used by
customers to access data. The script targeted particular file types and was
scheduled to run every four days.
“As we have repeatedly acknowledged, our error was that the data was kept in
readable form in violation of Visa and MasterCard security standards. As of
May 27, 2005, track data is no longer stored by CardSystems,” Perry said.
Perry testified that three files were illegally removed from the CardSystems’
platform.
Of the three files, one was empty, one contained about 4,000 records and the
third contained approximately 259,000 records. The total 263,000 records
correspond to 239,000 discrete account numbers.
“So far, out of all of the account numbers that may have been affected, we
have not been notified of any that have been used fraudulently,” Perry
testified. “As I have indicated, the security systems in place in the payment
card industry are set up to ensure that minimum cardholder account information
is provided to payment processors like us.”
Perry added, “This also means that CardSystems has no access to the
information which would provide us the means to directly monitor consumer
fraud.”