[ISN] Credit Data Firm Might Close
isn at c4i.org
Mon Jul 25 04:21:54 EDT 2005
Forwarded from: security curmudgeon <jericho at attrition.org>
Everyone grab their violins..
: By Jonathan Krim
: Washington Post Staff Writer
: July 22, 2005
: The head of a payment processing firm that was infiltrated by computer
: hackers, exposing as many as 40 million credit card holders to possible
: fraud, told Congress yesterday that his company is "facing imminent
: extinction" because of its disclosure of the breach and industry's
: reaction to it.
: "As a result of coming forward, we are being driven out of business,"
: John M. Perry, chief executive of CardSystems Solutions Inc., told a
: House Financial Services Committee subcommittee considering
: data-protection legislation. He said that if his firm is forced to shut
: down, other financial companies will think twice about disclosing such
Hi Mr. Perry. I'm California law. I *require* you to come forward over
such a breach. You don't have a choice, you were not being altruistic,
you were not being overly ethical. You were following the laws.
: Perry called the decisions by Visa and American Express draconian and
: said that unless Visa reconsiders, CardSystems would close and put 115
: people out of work.
: While Perry said his company is doing everything it can to ensure that
: such a breach never occurs again, Visa said it could not overlook that
: CardSystems knowingly violated contractual requirements for how long
: credit card data were supposed to be stored and how they were secured.
CardSystems signed a contract with Visa saying that data would meet
certain technical security specifications, and that it would adhere to
a policy regarding data retention. This compromise shows that *both*
failed, and Visa is not happy with CardSystems breaking said contract.
This is business 101 folks. I feel bad about most of the employees
that will lose their jobs, but CardSystems failed them and they are
paying the price. As a Visa and AmEx card holder, I am quite happy.
: Neither Perry nor representatives of the major credit card companies
: could explain at the hearing why an audit of CardSystems in 2003 did not
: address its computer vulnerabilities or its practice of retaining some
: data for research purposes.
Hope it leaks out which security firm did this audit!
More information about the ISN