A credit card processor settled charges with the Federal Trade Commission
(FTC) Thursday over what the FTC characterizes as the largest known compromise of financial data to date.
Last June, CardSystems revealed
it exposed personal information on more than 40 million credit cards after
hackers cracked into the firm’s computer system.
The FTC said CardSytems’s lax security practices, taken together, constituted
an unfair trade practice.
To settle the charges, CardSystems agreed to implement an information
security program and to obtain audits from an independent third-party
security professional every other year for 20 years.
“CardSystems kept information it had no reason to keep and then stored it in
a way that put consumers’ financial information at risk,” FTC Chairman
Deborah Platt Majoras said in a statement. “Any company that keeps sensitive
information must take steps to ensure that the data is held in a secure
There was no fine included in the settlement since the statute under which
CardSystems was charged prohibits civil penalties.
In a similar case charged
under a different law, data broker ChoicePoint paid a record $10 million fine for inadequately protecting consumer data.
CardSytems does, however, face potential financial liability under banking
laws and private litigation for losses related to the breach.
According to the FTC, CardSystems, as a credit card processor, provided
merchants with hardware and software used in obtaining approval for credit
and debit card purchases from the banks that issued the cards.
CardSystems collected the personal information, including card numbers and
expiration dates, from the magnetic strip on the cards. In 2005, CardSystems
processed more than 210 million card purchases totaling more than $15
The company then stored the information on its own system where it
eventually became exposed to data theft.
The FTC charged CardSystems with creating unnecessary risks to the
information by storing it, including not using readily available security