[ISN] Credit Data Firm Might Close

InfoSec News isn at c4i.org
Mon Jul 25 04:21:54 EDT 2005

Forwarded from: security curmudgeon <jericho at attrition.org>

Everyone grab their violins..

: http://www.washingtonpost.com/wp-dyn/content/article/2005/07/21/AR2005072102465.html
: By Jonathan Krim
: Washington Post Staff Writer
: July 22, 2005
: The head of a payment processing firm that was infiltrated by computer 
: hackers, exposing as many as 40 million credit card holders to possible 
: fraud, told Congress yesterday that his company is "facing imminent 
: extinction" because of its disclosure of the breach and industry's 
: reaction to it.
: "As a result of coming forward, we are being driven out of business,"  
: John M. Perry, chief executive of CardSystems Solutions Inc., told a 
: House Financial Services Committee subcommittee considering 
: data-protection legislation. He said that if his firm is forced to shut 
: down, other financial companies will think twice about disclosing such 
: attacks.

Hi Mr. Perry. I'm California law. I *require* you to come forward over
such a breach. You don't have a choice, you were not being altruistic,
you were not being overly ethical. You were following the laws.

: Perry called the decisions by Visa and American Express draconian and 
: said that unless Visa reconsiders, CardSystems would close and put 115 
: people out of work. 

: While Perry said his company is doing everything it can to ensure that 
: such a breach never occurs again, Visa said it could not overlook that 
: CardSystems knowingly violated contractual requirements for how long 
: credit card data were supposed to be stored and how they were secured.

CardSystems signed a contract with Visa saying that data would meet
certain technical security specifications, and that it would adhere to
a policy regarding data retention. This compromise shows that *both*
failed, and Visa is not happy with CardSystems breaking said contract.
This is business 101 folks. I feel bad about most of the employees
that will lose their jobs, but CardSystems failed them and they are
paying the price. As a Visa and AmEx card holder, I am quite happy.

: Neither Perry nor representatives of the major credit card companies 
: could explain at the hearing why an audit of CardSystems in 2003 did not 
: address its computer vulnerabilities or its practice of retaining some 
: data for research purposes.

Hope it leaks out which security firm did this audit!

More information about the ISN mailing list