ews about the biggest payment data security breach ever broke June 17, 2005. Even with all the previous incidents of the past several months, this one surprised everyone. Forty million credit and debit card account records, stored at a payment processing company, CardSystems Solutions Inc., had been compromised.

CardSystems, headquartered in Atlanta with a processing facility in Tucson, Ariz., provides front-end authentication services to other payments companies and handles more than $15 billion worth of transactions annually for small- to mid-size merchants and financial institutions.

The 40 million accounts belonged to people in the United States, Australia and throughout Asia. The data had been stored in violation of card Association rules.

The sheer scope of the CardSystems story makes it an interesting one, although the vast number of credit and debit card records that were potentially violated is hardly the only thing worth mentioning.

It's a great case study and a challenging one to grasp. It encompasses every issue in securing data: Non-compliance with card Association standards; an international reach; big fines for CardSytems and its acquiring bank; Merrick Bank of Old Bethpage, N.Y.; disclosure timelines; liability; finger-pointing; poor crisis management; the impact of negative publicity on consumer confidence; even subsequent phishing scams.

What Happened?

As with most of these cases, as time goes by more information will be revealed, and fall-out events, including lawsuits (one was filed in California on June 28) and legislation, will occur.

One area creating confusion is the timeframe: exactly who knew what, when they knew it and reported it. For instance, statements issued have contained conflicting information about when the card Associations knew CardSystems was storing unnecessary cardholder data, and therefore, was out of compliance. MasterCard International issued a press release on June 17 stating that it would notify its member financial institutions of the CardSystems breach. In a proactive public relations move soon criticized by others in the industry, the Association said that its team of security experts had identified a breach that could affect 40 million accounts, 13.9 million of which belonged to its own cardholders, and that it had tracked the breach to CardSystems' Tucson facility.

MasterCard said that a lapse in CardSystems' system created vulnerabilities (the lack of a firewall and virus definitions are likely possibilities) that "allowed an unauthorized individual to infiltrate their network and access cardholder data." In other words, hackers used a virus-like script to break in and extract data, potentially compromising the 40 million records stored at CardSystems.

The storage issue really got CardSystems into trouble. One of the main tenets of Association data security standards prohibits the storing of transaction data for any reason. On June 20, "The New York Times" reported that John Perry, CardSystems' Chief Executive Officer, said the data was in a file being stored for "research purposes," apparently to see why some transactions were not completed or authorized.

"We should not have been doing that," Perry was quoted. He also indicated that CardSystems had identified the breach originally and then took necessary steps to fix the problem.

MasterCard said it began to notice patterns of unusual activity as early as mid-April, according to The Times report. In mid-May, Visa U.S.A. joined MasterCard in requesting that Ubizen, a third-party forensics provider, investigate. The forensics team identified the virus-like script as the source of the fraudulent patterns on May 22, and CardSystems said it contacted the Federal Bureau of Investigation the next day.

Just days after the big announcement in June, however, news of incidents of fraud from Down Under began surfacing. It seems that National Australia Bank (NAB) was the first bank in the world to begin noticing fraudulent transaction patterns related to CardSystems as far back as September 2004. NAB said it reported what it knew to Visa and MasterCard at that time, according to Australia's Treasurer, Peter Costello.

Another Australian banking official, Joel Fitzgibbon, wondered when the Australian and American governments knew about the fraud, and whether a decision had been made to not inform consumers of the exposure. So far 130,000 cardholders in Australia have been affected.

Card-issuing banks and their customers around the Pacific Rim were also affected. In addition to Australians, people from countries including Hong Kong, China, Singapore, Japan and New Zealand who conducted transactions from September 2004 to June 2005 with U.S. merchants in person, online or by phone are at risk; so far, 483,000 cards will be reissued in those countries. (In Japan, card issuer JCB said 31 of its cards might have been compromised.)

Chris Noell, Vice President of Business Development for Solutionary Inc., a managed security services company in Omaha, Neb. that provides network security monitoring, intrusion detection management and vulnerability assessments, said one thing setting this case apart from others was the way it was detected.

"Unlike most of these breaches where we hear about the number of cards that were potentially accessed, it's somewhat murky whether there has been some type of fraud committed," Noell said. "In this case, they found it through actual incidents of fraud, at least according to MasterCard and the National Australia Bank.

"In the course of their own investigations, they were able to isolate the pattern of fraud back to CardSystems. This has nothing to do with computer forensics. They noticed suspicious activity originating from a common source," he said.

Should Consumers Know?

Whether the breach was initially identified in September, November or May, 40 million credit and debit accounts were still compromised. The odds of being one of those affected cardholders are fairly good. Issuing banks and credit card companies are taking different approaches to inform and reassure their customers; some have already sent letters or reissued cards.

The lawsuit filed in California does not seek monetary damages; instead, plaintiffs hope to force the notification issue on behalf of consumers. However, as spelled out in current laws, companies must notify consumers only when certain types of data are compromised. In the CardSystems case, "It's not clear to me that there actually is a duty for cardholders to be notified of a breach like this," Noell said.

That's because "no personally identifiable" information, such as names, Social Security numbers or birth dates, was accessed.

JPMorgan Chase & Co., Citigroup Inc., Bank of America Corp., American Express Co. and MBNA Corp. are among those companies that will not automatically alert their customers, saying they'll monitor accounts and see what happens. However, some banks across the United States began to notify their customers in the week following the breach, duty to inform or not.

"The Seattle Times" reported that thousands of credit and debit cardholders in that area received letters from their banks and credit unions saying their information had been stolen from CardSystems; at least three regional institutions notified more than 50,000 customers. Washington Mutual, headquartered in Seattle, told 1,400 customers it would replace their cards because they were at high risk; the bank continues to gather information on how many of the remainder of its 10.5 million debit accounts will be affected. Associated Credit Union of Norcross, Ga. will reissue 3,000 Visa-branded debit and credit cards, "The Atlanta Journal-Constitution" reported.

MasterCard acknowledged immediately that it knew of specific instances of fraud against its cardholders, citing 68,000 account numbers that were actually exported from CardSystems' files, but it is leaving it up to the issuing banks to contact cardholders.

"By their own admission, CardSystems ... violated Visa's standards for holding card data," Visa said in a statement. It "immediately began working with the processor, law enforcement and affected Member financial institutions to prevent card related fraud." Visa said it has not detected any evidence of fraud against cardholders, and "encourages cardholders to regularly monitor their accounts" and notify their banks of any unusual activity on their cards.

Financial institutions are worried about the cumulative effect that security breaches will have on consumer perception and behavior. "Clearly, each one of these incidents damages consumer confidence in electronic payments," Noell said.

According to a report published by equity research firm Thomas Weisel Partners, there are a number of issues involved in providing too much information to the general public when sensitive data are exposed. These include a slowing of consumer adoption of online financial services and other forms of electronic payments.

"Although added security is clearly a positive for any online platform, many industry professionals do not wish to become accidental 'fearmongers,' scaring potential customers that might want to test an online platform," the report warned.

Thomas Chapman, Chairman and CEO of Equifax, the credit-reporting bureau, acknowledged that consumer trepidation over how safe their data really are could eventually stifle consumer spending. In a speech to the Commonwealth Club of California, Chapman said that identity theft "is an epidemic that worries me to death."

Equifax has earned record profits this year, partly as a result of more people checking their credit reports more frequently, which is the only defense they have against data theft. It's an after-the-fact solution, though, and Chapman said it doesn't protect consumers. "It's not going to help, and the public is starting to learn that," he said. What Chapman would like to see, rather than the government's proposed law to force the three credit bureausto provide reports free of charge, are stricter standards for storing data, including mandatory encryption, and a new form of identification that doesn't rely on Social Security numbers.

Will More Laws Help?

The financial services industry for the most part is resisting government intervention such as regulation and legislation. Only a few states have laws on the books that force companies to notify consumers who might be affected by a security breach; California, Alaska, Arkansas, Washington and Connecticut do, and Texas will soon. There is no nationwide disclosure law.

But legislators and consumers might have the final say, thanks to the escalation in data security breaches this year; so far, the account information of 58 million people has been put at risk. (Federal Trade Commission Chairman Deborah Majoras was notified in June this year that her credit card number was among 1.4 million stolen from shoe retailer DSW last year.)

Politicians in California, the first state to enact disclosure legislation, are promoting consumer protection measures at both the state and federal levels. The state's year-old privacy law, known as SB1, was recently partially overturned by a federal appeals court on the basis that it conflicts with federal law. The bill's author, state Sen. Jackie Speier, who successfully pushed the bill past considerable opposition, said, "Two-thirds of SB1 is intact; intact, strong and stronger than the federal law."

Sen. Dianne Feinstein authored three bills currently pending in the Senate including legislation that would create a national standard on notification, set a national standard for protecting personal information and prohibit the sale or display of Social Security numbers to the general public.

In a letter to the CEOs of all four major card companies following the CardSystems breach, Feinstein wrote, "This incident is a clear sign that the industry's efforts to self-regulate when it comes to protecting consumers sensitive personal data are failing."

Following the CardSystems breach, however, MasterCard called for the expansion of the Gramm-Leach-Bliley Act, which currently applies only to financial institutions and their duties to protect consumer data. MasterCard has urged Congress to extend the Act to include any and all entities that store consumer financial information.

Noell believes that the muddled legislative landscape makes for treacherous navigation. "There's a patchwork quilt of legislation, and I don't think anybody, least of all the merchant community, has a full grasp of which of these laws apply to them under each circumstance," he said. "More legal obligations aren't necessarily the answer, but a law that clarifies this situation would be to some advantage."

Where's the Real Problem?

Are the hundreds of companies who process transactions the weak link in the payments system? Many analysts believe that despite the well-intended and concerted efforts of the credit card companies and issuing banks to shore up data security, processors, acquirers and merchants are not heeding the same attention to detail.

The credit card companies have each had their own compliance standards in place for years; however, they've all now agreed to a single standard, known as the Payment Card Industry Data Security Standard, or PCI, implemented last December (see "PCI: Card Associations Unite to Fight Fraud With Collaborative Standard," The Green Sheet, Feb. 14, 2005, issue 05:02:01).

PCI, as a universal standard, is meant in part to simplify the compliance process. It's also more encompassing than the separate programs, redefining requirements and broadening merchant levels: Now, any person, product or service that touches cardholder data at any point along the way must comply with PCI. (Whether it applies to delivery drivers transporting boxes of account data tapes is unclear.)

"If you look at the Associations' motivation behind PCI, it's not a money-making venture for them," Noell said. "They adopted it purely to protect their franchises and to instill consumer confidence and to some degree, to avoid government regulation."

Merchants and processors might not know what they're not doing correctly, through no fault of their own. Noell said there is a great need for education at the processor and merchant levels concerning liability and obligation. There is a lot of confusion over compliance, including who must comply and how to reach compliance.

"The non-compliance aspect of the CardSystems story points to one of the central sources of customer confusion about security that we come across when we talk to prospects," he said. "They think that by virtue of going through the audit, it somehow makes them compliant. And that's really not true."

CardSystems attained Visa Cardholder Information Security Program (CISP)-compliant status in 2004, but the company is not named on the most current CISP-compliant providers list published on May 27, 2005.

"What makes you compliant is an ongoing process of living up to the standard 24/7, 365 days a year," Noell said. "Companies really need to change the way they approach this. Rather than focusing on dealing with auditors and passing the audit, they need to look first at the standard itself and say, 'Can I reasonably maintain a security program that maintains this level of security with all these 200-plus principles that have been outlined?' and if I can't, then that's a fundamental problem that needs to be addressed separately. You have to live up to a level of operational performance excellence on a daily basis, not a one-time audit pass," Noell said.

One standard for compliance notwithstanding, the assessment process and requirements are a tremendous source of confusion. Noell finds that when he speaks with potential Solutionary customers, including merchants and processors, they need clarity "so that this huge community can move forward decisively and not be frozen by conflicting and confusing legal obligations.

"I don't think that merchants and processors have a full picture of the scope of the problem and how to approach it, and that's creating as much of a problem as anything," he said.

"More than any other need in this market, we find that education is core. Education is a critical element in our sales strategy, just getting people to understand what their liability is and what their obligations are."

Is the system too unwieldy to corral? "When you talk about the number of people who have to access to this information in order to process a transaction, it's really a massive undertaking," Noell said. "It's a staggering number of people who all have to exercise a level of care if the information is going to be protected. A hacker only needs to find one way in, and a breach at any one point gets the thieves the goods. To some degree, you attack the weakest link, and you're successful."

CardSystems Solutions did not respond to requests for interviews for this story.