Advertisement

SKIP ADVERTISEMENT

Lost Credit Data Improperly Kept, Company Admits

The chief of the credit card processing company whose computer system was penetrated by data thieves, exposing 40 million cardholders to a risk of fraud, acknowledged yesterday that the company should not have been retaining those records.

The official, John M. Perry, chief executive of CardSystems Solutions, indicated that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit card accounts, from Visa, MasterCard and other card issuers. He said the data was in a file being stored for "research purposes" to determine why certain transactions had registered as unauthorized or uncompleted.

"We should not have been doing that," Mr. Perry said. "That, however, has been remediated." As for the sensitive data, he added, "We no longer store it on files."

Under rules established by Visa and MasterCard, processors are not allowed to retain cardholder information including names, account numbers, expiration dates and security codes after a transaction is handled.

"CardSystems provides services and is supposed to pass that information on to the banks and not keep it," said Joshua Peirez, a MasterCard senior vice president who has been involved with the investigation. "They were keeping it."

The security breach was first reported Friday when MasterCard International said a lapse at CardSystems had allowed the installation of a rogue computer program that could extract data from the system, potentially compromising 40 million accounts of various credit cards.

MasterCard said Saturday that 68,000 of its own account numbers were especially at risk because they were in a file found to have actually been "exported from the system." CardSystems said yesterday that the file also contained data from other cards in proportion to the volume of business it handles from each company. That would translate to about 100,000 Visa accounts and roughly 30,000 others.

It is not clear whether those numbers could yet grow.

The details about CardSystems' handling of the data raised new questions about the effectiveness and enforcement of the standards established by the card companies for data protection and storage.

To protect cardholders, Visa and MasterCard have long-established policies for the merchants and processors that handle transactions on their payment network. They require their processors, for example, to hire a certified outside assessor to do an annual security assessment. Processors must also conduct a quarterly self-evaluation and scans for network vulnerabilities.

The card associations have also spent millions of dollars to upgrade their own computer systems with sophisticated fraud-detection software. Over the last two years, they have sent out teams to processor and merchant sites to review compliance.

But one kink in this chain -- one processor that fails to comply -- can put untold numbers of cardholders at risk of fraud.

"The standards themselves are very effectively written," said Tom Arnold, a partner at Payment Software Company, a consulting firm in San Francisco that advises and provides security assessments for merchants and processors. "The challenge in the industry can be when people don't fully comply or try to cut corners."

Avivah Litan, an industry analyst at Gartner Inc., agreed. "If they are really serious about these programs, they should pay attention to how the processors are guarding the data, and they are not," she said. After the disclosure of the security breach at CardSystems, varying accounts were offered about the company's compliance with card association standards.

Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.

It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems "a limited amount of time" to do so.

Asked about compliance with Visa's standards, a Visa spokeswoman, Rosetta Jones, said, "This particular processor was not following Visa's security requirements when we found out there was a potential data compromise."

Earlier, Mr. Perry of CardSystems said his company had been audited in December 2003 by an unspecified independent assessor and had received a seal of approval from the Visa payment associations in June 2004.

CardSystems, based in Tucson, processes more than $15 billion in payments for small to midsize merchants and financial institutions each year.

MasterCard said that it had detected atypical levels of fraudulent charges on its cards as early as mid-April and, joined by Visa and an unspecified bank in mid-May, had requested that CardSystems allow its independent forensics team, Ubizen, to investigate. It was not until May 22 that the security specialists identified the rogue computer program as the source, MasterCard said.

CardSystems said it contacted the F.B.I. offices in Tucson and Atlanta on May 23. The F.B.I. said Friday that its investigation was continuing.

Only MasterCard affirmed that it knew of specific instances of fraud against its customers traced to the CardSystems breach. Visa said it was monitoring the situation but had yet to detect any fraud traceable to the case. Those companies, along with American Express and Discover, said their cardholders would not be liable for fraudulent charges on their accounts.

Cardholders' concerns were largely referred to the card-issuing banks. Citigroup said the risk of identity theft to its cardholders was low but said it would closely monitor accounts. Chase Cards said that if cardholders spotted suspicious activity on their monthly or online statements, they should contact their bank. In such a case, identity theft experts said, it would be prudent to cancel the account.

CardSystems is one of hundreds of processors that provide terminals to merchants and help banks process millions of transactions a day, electronically relaying cardholders' names, account numbers and security codes so that once a card is swiped, the sale will be authorized, the merchant will be paid and the customer will be billed.

The processors area also a point in the matrix exposed to Internet traffic and possible intrusion.

"They typically have a Web site where merchants sign on with and then the merchants can look at the daily transactions, the balance in their account," Edward Lawrence, a managing associate at the Auriemma Consulting Group in Westbury, N.Y., which advises credit card merchants and processors. "My guess is that a hacker would get into the Web site and somehow find their way past a firewall and through the passwords and encroach onto the programming system."

Mr. Peirez of MasterCard said that the data inappropriately retained by CardSystems was particularly sensitive because it included cardholders' three- and four-digit security codes, making it more attractive to potential thieves because it can double or triple the black-market value of a cardholder's account. Ms. Litan of Gartner said there was no reason for a processor to store security codes. "It's probably just laziness or they don't know the rules," she added.

In addition, the data lost in the CardSystems case was apparently not encrypted. "If it was encrypted, the hacker would have gotten data but would not have known how to read it," said Mr. Lawrence of Auriemma Consulting.

The 40 million accounts that passed through CardSystems during the period in question may be the largest case of exposed data to date.

"There is going to be a lot of finger-pointing," said Susan Crawford, a professor of Internet law at Cardozo Law School. "It's a very complex situation, and we'll wind up for calls for very heavy-handed government regulation of data transmission."

Yet, there may be little incentive for processors to change. Visa and MasterCard have said that payment processors that violate their rules must pay a penalty, but they do not disclose the amounts of those fines. And it is typically the merchant that bears the cost of data fraud.

Zero liability for customers means that fraudulent charges come out of a bank or store's coffers in the form of higher merchant transaction fees. "The retailers will pay for it and the issuing banks will get rich off it," Ms. Litan said. "It's just another revenue stream."

"What is the incentive?" she added. "Staying out of the newspapers."

A version of this article appears in print on  , Section A, Page 1 of the National edition with the headline: LOST CREDIT DATA IMPROPERLY KEPT, COMPANY ADMITS. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT