http://www.nytimes.com/2005/07/19/business/19visa.html
By ERIC DASH
July 19, 2005
Visa USA said yesterday that it would stop allowing the payment
processor CardSystems Solutions to handle its transactions, months
after the processor left the records of millions of cardholders at
risk for fraud.
"CardSystems has not corrected, and cannot at this point correct, the
failure to provide proper data security for those accounts," said Tim
Murphy, Visa's senior vice president for operations in a memorandum
sent to several banks. "Visa USA has decided that CardSystems should
not continue to participate as an agent in the Visa system."
Cardholders and merchants should not be affected by the change.
Visa said its decision to remove CardSystems came after a review and
an independent investigation found that the payment processor had
improperly stored cardholder data and did not have the proper controls
in place.
It is unclear if MasterCard and American Express will take similar
action, but with Visa accounting for more than half of all card
transactions, the move raises questions about the future of
CardSystems.
"I've never heard of them booting off a processor," said Avivah Litan,
a security analyst at Gartner Inc., a technology research group. "The
worst thing that I've heard is a processor that had to cough up $1
million."
The move came at least two months after Visa first learned that data
had been compromised and just days before its executives, along with
those of other major card companies, have been called to testify in
Washington about their security practices. The chief executive of
CardSystems, John M. Perry, is also expected to testify on Thursday.
In a statement released yesterday, CardSystems said Visa's decision
was unexpected and upsetting. "We are disappointed and very surprised
that Visa has decided to take this action today, not only because of
the impact that it will have on our employees, but the disruption that
it will cause to our 110,000 merchant customers," the processor said
in a statement. "We hope that Visa will reconsider."
Visa has given at least 11 banks, which hired CardSystems to handle
the merchant transactions, until the end of October to change
processors, the memo said. Until then, CardSystems will be allowed to
process Visa transactions as long as it has corrected any problems and
allows a Visa-affiliated monitor on site to oversee its operations in
Tucson. CardSystems is also banned from handling Visa transactions
from its international affiliates or any new merchants, processors or
member banks in the United States.
Visa had been weighing the decision for a few weeks but as recently as
mid-June said that it was working with CardSystems to correct the
problem. CardSystems hired an outside security assessor this month to
review its policies and practices, and it promised to make any
necessary upgrades by the end of August. CardSystems, in its statement
yesterday, said the company's executives had been "in almost daily
contact" with Visa since the problems were discovered in May.
Visa, however, said that despite "some remediation efforts" since the
incident was reported, the actions by CardSystems were not enough.
"Visa cannot overlook the significant harm the data compromise and
CardSystems' failure to maintain the required security protections has
had on member financial institutions and merchants as well as the
significant concerns it raised for cardholders," the company said in a
statement.
At this point, it is unclear what the other branded card companies
will do. MasterCard has previously said that it was giving CardSystems
a "limited amount of time to demonstrate compliance with MasterCard
security requirements" but never laid out a specific timetable.
Sharon Gamsin, a MasterCard spokeswoman, did not return calls seeking
comment. Judy Tenzer, an American Express spokeswoman, said the
company did not comment about its relationships with vendors. Leslie
Sutton, a Discover Financial spokeswoman, could not offer an immediate
response.
Visa's decision is the latest development since the disclosure in
mid-June that the CardSystems computer network had been compromised,
putting the cardholder names, account numbers and security codes of as
many as 40 million credit and debit cardholders at risk for fraud. The
information of about 22 million Visa cardholders was exposed;
MasterCard reported the data of 14 million of its cardholders was
potentially at risk; and the rest largely belonged to customers of
American Express and Discover.
At the time, Mr. Perry of CardSystems acknowledged that the company
had been improperly storing data, violating Visa and MasterCard
security rules. He said data thieves directly obtained information
related to some 200,000 cardholder accounts. The F.B.I and a group of
federal banking regulators are now investigating.
In its statement, Visa offered its most scathing indictment of those
security violations to date. The chief executive of CardSystem had
"stated that the company knowingly retained unmasked magnetic stripe
cardholder data, purportedly for 'research purposes,' " Visa said.
"Visa's security requirements were adopted precisely for the purpose
of protecting cardholder information and guarding against the type of
data compromise recently experienced by CardSystems."
In the letter Visa sent to the banks, Mr. Murphy suggested that the
data breach occurred as early as August 2004.
_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.
www.blackhat.com
