n July 19, 2005 Visa U.S.A. announced that by the end of October, it would no longer approve of CardSystems Solutions Inc. as a processor of Visa transactions.

The announcement came nearly two months after CardSystems identified a security breach to its system, which ultimately left the records of some 40 million cardholders at risk of fraud, and only days before the card Associations were scheduled to testify to Congress about their security practices.

"CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts," Rosetta Jones, Vice President, Visa U.S.A. said in a statement. Visa decided that CardSystems could not continue to participate as an agent in the Visa system.

One day following Visa's announcement, American Express Co. said it would also end its relationship with CardSystems in October.

MasterCard International, however, said it is requiring CardSystems to develop a detailed plan by Aug. 31, 2005 to bring its systems into compliance with MasterCard security requirements. If CardSystems cannot demonstrate that it is in compliance by that date, its ability to provide services to MasterCard members will be at risk.

Visa's announcement alone was the obituary for CardSystems continuing to serve as a processor for banks and ISOs. A processor must be able to offer all the major card types to be competitive.

In an article early this year, I wrote that Integrity Bankcard Consultants expects one of the hot and compelling issues for the ISO community to be security breaches that result in the compromise of cardholder data (see "A Must for 2005: CISP and SDP Compliance Reviews," The Green Sheet, Jan. 10, 2005, issue 05:01:01).

We have also been telling our bank, ISO and merchant customers that they must address not only Visa's Cardholder Information Security Program (CISP) and MasterCard's Site Data Protection Program (SDP), but also now the card Associations' new Payment Card Industry (PCI) Data Security Standard, an alignment of their cardholder data programs. There are no more excuses.

In December 2004, Visa, MasterCard and other major card companies announced their endorsement of PCI. The new standard is a result of cooperation between the card Associations to create common security requirements for the industry. While each will continue to have its own program, all will have the same 12 core agreed upon requirements.

To view a list of requirements, visit: http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf .

Card Association members must use and are responsible for ensuring that their merchants use service providers that are CISP compliant. For more information, visit: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_service_providers.html .

Apparently, Visa could not overcome the fact that when the breach occurred, CardSystems had been inappropriately storing cardholder account information, purportedly for research purposes. The storing of this type of data is in violation of Visa's security rules.

ISOs should review their operations ASAP, not only to ensure that they are PCI compliant, but also that they are not violating any of Visa's rules. ISOs should also work with their larger merchants who should also be in compliance.

In the past two weeks, I have received bills that included sensitive credit card payment information such as card verification value (CVV2 or CVC2) numbers. I doubt that the companies are storing CVV2 or CVC2 data as required by the card Associations.

(And, if they were destroying the data in accordance with Association rules, this would leave them with no proof that the cardholder even authorized the transaction).

It looks like CardSystems may not survive the consequences of the security breach. In July, in testimony to the House Committee on Financial Services, CardSystems' Chief Executive Officer John M. Perry said that unless Visa and American Express reconsider terminating their contracts with CardSystems, "we [will] be forced to permanently close our doors."

Could your ISO survive massive fines? Could your merchants?

Retailer BJ's Wholesale Club Inc., a security breach victim in 2004, recovered and is still in business but paid significantly in card Association fines and in damage to its reputation.

BJ's recently settled Federal Trade Commission charges that "its failure to take appropriate security measures to protect the sensitive information of its customers was an unfair practice that violated federal law."

(For more information about this case, visit www.ftc.gov/opa/2005/06/bjswholesale.htm .)

David H. Press is Principal and President of Integrity Bankcard Consultants Inc. Phone him at 630-637-4010, e-mail dhp@integritybankcard.com or visit www.integritybankcard.com .