[ISN] Credit Data Firm Might Close

[InfoSec News]

http://www.washingtonpost.com/wp-dyn/content/article/2005/07/21/AR2005072102465.html

By Jonathan Krim
Washington Post Staff Writer
July 22, 2005

The head of a payment processing firm that was infiltrated by computer
hackers, exposing as many as 40 million credit card holders to
possible fraud, told Congress yesterday that his company is "facing
imminent extinction" because of its disclosure of the breach and
industry's reaction to it.

"As a result of coming forward, we are being driven out of business,"  
John M. Perry, chief executive of CardSystems Solutions Inc., told a
House Financial Services Committee subcommittee considering
data-protection legislation. He said that if his firm is forced to
shut down, other financial companies will think twice about disclosing
such attacks.

Visa USA Inc. and American Express Co. recently announced after
investigating the breach at CardSystems' Tucson, Ariz., facility that
they would no longer allow the firm to process transactions made with
their cards.

Atlanta-based CardSystems is one of several firms that serve as a
little-known hub in the nation's commerce system, transferring
payments between the banks of credit card-using consumers and the
banks of the merchants where purchases are made.

Perry called the decisions by Visa and American Express draconian and
said that unless Visa reconsiders, CardSystems would close and put 115
people out of work. CardSystems handles only a small percentage of
American Express transactions, while Visa accounts for a large part of
its business.

Perry said closing his company could disrupt the ability of merchants
to complete transactions, since it might take time for them to arrange
for alternate payment processors. For that reason, Visa said it is not
cutting off the company until Oct. 31.

While Perry said his company is doing everything it can to ensure that
such a breach never occurs again, Visa said it could not overlook that
CardSystems knowingly violated contractual requirements for how long
credit card data were supposed to be stored and how they were secured.

Rosetta Jones, a Visa USA spokeswoman, said after the hearing that the
credit card giant also has had difficulty getting sufficient
information from CardSystems since the breach occurred. Nonetheless,
at the urging of Rep. Rick Renzi (R-Ariz)., Visa agreed to another
meeting with CardSystems before it severs ties with the firm.

Neither Perry nor representatives of the major credit card companies
could explain at the hearing why an audit of CardSystems in 2003 did
not address its computer vulnerabilities or its practice of retaining
some data for research purposes.

Of the 40 million credit card numbers in CardSystems' data banks,
roughly 240,000 are known to have been downloaded in May by the
hackers, who implanted malicious computer code into the company's
network last fall to gain access to the information.

The files did not contain Social Security numbers, driver's license
data or other personal information frequently targeted by identity
thieves.

Perry said that he knows of no purloined credit card numbers that were
used fraudulently, although MasterCard -- which first announced the
breach to the public last month -- said that "a small number" of card
numbers were misused.

Law enforcement agencies, including the FBI, are investigating the
incident.

Subcommittee members, while condemning the data breaches that have
exposed millions of consumers to possible fraud or identity theft in
the past year, disagreed on what Congress should do about it.

"The CardSystems incident is a spectacular failure" of private
industry to effectively secure personal data, Rep. Carolyn B. Maloney
(D-N.Y.) said in urging greater regulation. "We need to provide the
legal structure to fix it."

In response, Rep. Tom Price (R-Ga.), admonished members against
"greater regulation and greater penalties, which is oftentimes the
knee-jerk reaction" to problems.

With numerous House and Senate bills already introduced to address
identity fraud and theft, and several more being prepared, both
parties expect legislative action.

Most bills would require disclosure of breaches, though the industry
supports limiting notification to cases in which there is significant
risk that the data could be used for fraud or identity theft.

Representatives of the credit card companies yesterday also supported
proposals to extend federal security requirements to payment
processors, not just banks and financial institutions covered by
current law.

Some proposals go further and are likely to be opposed by the
financial industry.

A Senate Commerce Committee bill would allow consumers to "freeze"  
their credit, preventing anyone from getting loans or credit approval
in their names without express permission.

Evan Hendricks, editor of Privacy Times, who testified yesterday as a
privacy expert, said he supports giving consumers the right to sue
when they are damaged by breaches caused by lax security.

"Some companies won't have adequate security unless they are forced
to," he said.

© 2005 The Washington Post Company