"Only dull people are brilliant at breakfast" -Oscar Wilde |
"The liberal soul shall be made fat, and he that watereth, shall be watered also himself." -- Proverbs 11:25 |
The chief of the credit-card processing company whose computer system was penetrated by data thieves, exposing 40 million cardholders to a risk of fraud, acknowledged yesterday that the company should not have been retaining consumer records lost to the thieves.
The official, John Perry, chief executive of CardSystems Solutions, indicated that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit-card accounts, from Visa, MasterCard and other card issuers. He said the data was in a file being stored for "research purposes" to determine why certain transactions had gone unauthorized or uncompleted.
"We should not have been doing that," Perry said.
Under rules established by Visa and MasterCard, processors are not allowed to retain cardholder information including names, account numbers, expiration dates and security codes after a transaction is handled.
"CardSystems provides services and is supposed to pass that information on to the banks and not keep it," said Joshua Peirez, a MasterCard senior vice president who has been involved with the investigation. "They were keeping it."
The security breach was reported Friday when MasterCard International said a lapse at CardSystems had allowed the installation of a rogue computer program that could extract data from the system, potentially compromising 40 million accounts of various credit cards.
MasterCard said Saturday that 68,000 of its own account numbers were especially at risk because they were in a file found to have actually been "exported from the system." CardSystems said yesterday that the file also contained data from other cards in proportion to the volume of business it handles from each company. That would translate to about 100,000 Visa accounts and about 30,000 others.
The details about CardSystems' handling of the data raised new questions about the effectiveness and enforcement of the standards established by the card companies for data protection and storage.
To protect cardholders, Visa and MasterCard have long established policies for the merchants and processors that handle transactions on their payment network. They spent millions of dollars to upgrade their own computer systems with sophisticated fraud-detection software. Over the last two years, they have sent out teams to processor and merchant sites to conduct compliance campaigns.
But one kink in this chain -- one processor that fails to comply -- can put untold numbers of cardholders at risk of fraud.
"The standards themselves are very effectively written," said Tom Arnold, a partner at Payment Software Co., a consulting company that advises and provides security assessments for merchants and processors. "The challenge in the industry can be when people don't fully comply or try to cut corners."