Fallout From CardSystems Breach Continues
ne thing to say about the security breach at CardSystems Solutions Inc.: Many who previously paid little attention to the card acquiring business are paying attention to it now.
Sen. Dianne Feinstein (D-Calif.), for example, is using the occasion of this well-publicized security breach to draw attention to legislation she introduced that would require companies to notify customers whenever a hacking incident may have compromised personal data.
"This incident is a clear sign that industry's efforts to self-regulate when it comes to protecting consumers' sensitive personal data are failing," Feinstein wrote in letters to executives at Visa U.S.A., MasterCard International, American Express Co. (AmEx) and Discover Financial Services.
"The fact that hackers could have accessed data on up to 40 million accounts because of a processor's failure to follow your own established rules makes me question the effectiveness and ability of self-regulation by your industry."
Feinstein is one of about a dozen members of Congress who have introduced legislation setting national rules for consumer notifications in events like the CardSystems security breach. On the other side of Capitol Hill, a subcommittee of the House Committee on Financial Services held hearings in July on credit card processing and data security. Among those called to testify were executives of CardSystems and MasterCard.
Meanwhile, Visa and AmEx have terminated CardSystems' status as an approved card processing agent. Visa's member banks have until Oct. 31, 2005 to transfer merchant customers to a different processor. AmEx is giving its merchants and issuing banks until an unspecified date in October.
MasterCard, on the other hand, is giving CardSystems until August 31 to bring its operations into compliance with MasterCard security requirements. Chris Thom, MasterCard's Chief Risk Officer, said taking away CardSystems' right to handle MasterCard transactions wasn't warranted, since CardSystems corrected the problems that led to the breach. "We've made sure they're not a risk, and we'll have them back and running with a fully certified security system by the end of August," Thom said.
Attorney Adam Atlas, who specializes in merchant services issues, said the moves by Visa and AmEx could have serious implications. Most of CardSytems' merchants are with Utah-based Merrick bank and total roughly 105,000. Atlas said it will be very difficult to place all these merchants with other banks and processors in the coming months.
"Visa is taking an unreasonable position," Atlas said. "They overreacted, and their proposed termination of CardSystems is going to cause more harm than good ... to thousands of ISOs who sell the services of Merrick and CardSystems and the merchants who use those services."
CardSystems continues to move forward in rectifying its data security problems. The company hired AmbironTrustWave, a Chicago-based security management and compliance company to perform a Payment Card Industry (PCI) Data Security Standard compliance assessment.
|