[ISN] Lost Credit Data Improperly Kept, Company Admits

InfoSec News isn at c4i.org
Tue Jun 21 01:56:16 EDT 2005


June 20, 2005

The chief of the credit card processing company whose computer system
was penetrated by data thieves, exposing 40 million cardholders to a
risk of fraud, acknowledged yesterday that the company should not have
been retaining those records.

The official, John M. Perry, chief executive of CardSystems Solutions,
indicated that the records known to have been stolen covered roughly
200,000 of the 40 million compromised credit card accounts, from Visa,
MasterCard and other card issuers. He said the data was in a file
being stored for "research purposes" to determine why certain
transactions had registered as unauthorized or uncompleted.

"We should not have been doing that," Mr. Perry said. "That, however,
has been remediated." As for the sensitive data, he added, "We no
longer store it on files."

Under rules established by Visa and MasterCard, processors are not
allowed to retain cardholder information including names, account
numbers, expiration dates and security codes after a transaction is

"CardSystems provides services and is supposed to pass that
information on to the banks and not keep it," said Joshua Peirez, a
MasterCard senior vice president who has been involved with the
investigation. "They were keeping it."

The security breach was first reported Friday when MasterCard
International said a lapse at CardSystems had allowed the installation
of a rogue computer program that could extract data from the system,
potentially compromising 40 million accounts of various credit cards.

MasterCard said Saturday that 68,000 of its own account numbers were
especially at risk because they were in a file found to have actually
been "exported from the system." CardSystems said yesterday that the
file also contained data from other cards in proportion to the volume
of business it handles from each company. That would translate to
about 100,000 Visa accounts and roughly 30,000 others.

It is not clear whether those numbers could yet grow.

The details about CardSystems' handling of the data raised new
questions about the effectiveness and enforcement of the standards
established by the card companies for data protection and storage.

To protect cardholders, Visa and MasterCard have long-established
policies for the merchants and processors that handle transactions on
their payment network. They require their processors, for example, to
hire a certified outside assessor to do an annual security assessment.  
Processors must also conduct a quarterly self-evaluation and scans for
network vulnerabilities.

The card associations have also spent millions of dollars to upgrade
their own computer systems with sophisticated fraud-detection
software. Over the last two years, they have sent out teams to
processor and merchant sites to review compliance.

But one kink in this chain - one processor that fails to comply - can
put untold numbers of cardholders at risk of fraud.

"The standards themselves are very effectively written," said Tom
Arnold, a partner at Payment Software Company, a consulting firm in
San Francisco that advises and provides security assessments for
merchants and processors. "The challenge in the industry can be when
people don't fully comply or try to cut corners."

Avivah Litan, an industry analyst at Gartner Inc., agreed. "If they
are really serious about these programs, they should pay attention to
how the processors are guarding the data, and they are not," she said.  
After the disclosure of the security breach at CardSystems, varying
accounts were offered about the company's compliance with card
association standards.

Jessica Antle, a MasterCard spokeswoman, said that CardSystems had
never demonstrated compliance with MasterCard's standards. "They were
in violation of our rules," she said.

It is not clear whether or when MasterCard intervened with the company
in the past to insure compliance, but MasterCard said Friday that it
had now given CardSystems "a limited amount of time" to do so.

Asked about compliance with Visa's standards, a Visa spokeswoman,
Rosetta Jones, said, "This particular processor was not following
Visa's security requirements when we found out there was a potential
data compromise."

Earlier, Mr. Perry of CardSystems said his company had been audited in
December 2003 by an unspecified independent assessor and had received
a seal of approval from the Visa payment associations in June 2004.

CardSystems, based in Tucson, processes more than $15 billion in
payments for small to midsize merchants and financial institutions
each year.

MasterCard said that it had detected atypical levels of fraudulent
charges on its cards as early as mid-April and, joined by Visa and an
unspecified bank in mid-May, had requested that CardSystems allow its
independent forensics team, Ubizen, to investigate. It was not until
May 22 that the security specialists identified the rogue computer
program as the source, MasterCard said.

CardSystems said it contacted the F.B.I. offices in Tucson and Atlanta
on May 23. The F.B.I. said Friday that its investigation was

Only MasterCard affirmed that it knew of specific instances of fraud
against its customers traced to the CardSystems breach. Visa said it
was monitoring the situation but had yet to detect any fraud traceable
to the case. Those companies, along with American Express and
Discover, said their cardholders would not be liable for fraudulent
charges on their accounts.

Cardholders' concerns were largely referred to the card-issuing banks.  
Citigroup said the risk of identity theft to its cardholders was low
but said it would closely monitor accounts. Chase Cards said that if
cardholders spotted suspicious activity on their monthly or online
statements, they should contact their bank. In such a case, identity
theft experts said, it would be prudent to cancel the account.

CardSystems is one of hundreds of processors that provide terminals to
merchants and help banks process millions of transactions a day,
electronically relaying cardholders' names, account numbers and
security codes so that once a card is swiped, the sale will be
authorized, the merchant will be paid and the customer will be billed.

The processors area also a point in the matrix exposed to Internet
traffic and possible intrusion.

"They typically have a Web site where merchants sign on with and then
the merchants can look at the daily transactions, the balance in their
account," Edward Lawrence, a managing associate at the Auriemma
Consulting Group in Westbury, N.Y., which advises credit card
merchants and processors. "My guess is that a hacker would get into
the Web site and somehow find their way past a firewall and through
the passwords and encroach onto the programming system."

Mr. Peirez of MasterCard said that the data inappropriately retained
by CardSystems was particularly sensitive because it included
cardholders' three- and four-digit security codes, making it more
attractive to potential thieves because it can double or triple the
black-market value of a cardholder's account. Ms. Litan of Gartner
said there was no reason for a processor to store security codes.  
"It's probably just laziness or they don't know the rules," she added.

In addition, the data lost in the CardSystems case was apparently not
encrypted. "If it was encrypted, the hacker would have gotten data but
would not have known how to read it," said Mr. Lawrence of Auriemma

The 40 million accounts that passed through CardSystems during the
period in question may be the largest case of exposed data to date.

"There is going to be a lot of finger-pointing," said Susan Crawford,
a professor of Internet law at Cardozo Law School. "It's a very
complex situation, and we'll wind up for calls for very heavy-handed
government regulation of data transmission."

Yet, there may be little incentive for processors to change. Visa and
MasterCard have said that payment processors that violate their rules
must pay a penalty, but they do not disclose the amounts of those
fines. And it is typically the merchant that bears the cost of data

Zero liability for customers means that fraudulent charges come out of
a bank or store's coffers in the form of higher merchant transaction
fees. "The retailers will pay for it and the issuing banks will get
rich off it," Ms. Litan said. "It's just another revenue stream."

"What is the incentive?" she added. "Staying out of the newspapers."

More information about the ISN mailing list