isa U.S.A. and American Express Co. (AmEx) stand by previous decisions to remove CardSystems Solutions Inc. from their list of approved processors despite the company's recent announcement of achieving compliance with card Association data security standards.

CardSystems created a big flap this summer when a breach of its computers compromised data on an estimated 40 million credit and debit card accounts ("Will 40 Million Be the Final Straw?" The Green Sheet, July 11, 2005, issue 05:07:01).

On Aug. 31, 2005, AmbironTrustWave, an independent security auditor, submitted on CardSystems' behalf a Report on Compliance to the four major card brands (Visa, MasterCard International, AmEx and Discover Financial Services). CardSystems had hired the auditor to help it identify and correct flaws in its systems and procedures.

CardSystems now appears to have its house in order, but apparently it is too late. Visa could not comment on the report, only that "Visa regards its [earlier] decision relating to CardSystems as permanent."

An AmEx spokesperson said AmEx has reviewed the report, but its decision remains the same: AmEx will no longer allow CardSystems to process its transactions.

Following the breach, MasterCard had agreed to give CardSystems another chance and established the Aug. 31 deadline for the company to achieve compliance with the Payment Card Industry (PCI) Data Security Standard.

PCI is an alignment of Visa's and MasterCard's rules for organizations, including ISOs, processors and merchants, with access to payment card information. The four major card companies operating in the United States have endorsed PCI.

"AmbironTrustWave audited the security of our network, the steps that our 110 employees take to safeguard cardholder data, our vulnerability management program, our information security policy and our ability to regularly monitor and test our network," Perry said.

"We believe that the Report on Compliance concludes that CardSystems meets the PCI standard. We are hopeful that MasterCard, Visa, American Express and Discover will accept this PCI report and validate that CardSystems is PCI compliant."

MasterCard said it expects its review of the report "to require several days or longer should additional inquiry be necessary."

Discover said it plans to "conduct an onsite visit at [CardSystems'] data center in Tucson upon which a decision will be made."

Attorney Adam Atlas stated that if a much larger processor had made the same mistakes the situation would be different. "The Associations are sort of hanging CardSystems out to dry, together with all [its] merchants and ISOs in order to look good," he said. "It is a tremendous inconvenience for about 100,000 people between Merrick Bank [the acquirer] and the ISOs."