Data-Theft Case Proves Need For New Disclosure Law

Written by Evan Schuman
July 22nd, 2005

Top payment-system executives traveled to Washington on Thursday to try to convince members of Congress that no new laws are needed for credit card payment security, that the industry can police itself just fine. But the facts delivered during the testimony told a very different story.

What forced the hearing was a well-publicized security breach in May, when CardSystems Solutions reported that someone had broken into its systems and stolen the details of as many as 40 million payment cards, including names, account numbers and expiration dates.

CardSystems’ CEO, John Perry, told the investigating panel that his people immediately called the FBI and reported the problem, and that the company told its sponsoring bank (Merrick Bank) and Visa a few days later.

Of its delay in briefing Visa, CardSystems said it wanted to know exactly what had happened and the FBI was investigating. When Visa learned of the news, it quickly told the world.

Proponents of the “everything’s just fine as it is” school pointed to the situation as proof that the current rules are sufficient, that the industry can adequately police itself. Visa was repeatedly praised as having announced the break-in even though it was not legally required to do so.

But it was CardSystems’ Perry who made the most convincing point of the day in favor of needing new laws when he testified that his company is facing a likely bankruptcy. He blamed it on having disclosed the incident to Visa.

“As a result of coming forward, CardSystems is being driven out of business,” he said, adding that other companies are likely to have a strong disincentive to come forward if CardSystems is left to die.

The immediate cause of those financial problems are because Visa and American Express have already said they are going to stop using CardSystems.

Wait a second. CardSystems is not facing severe economic distress because it disclosed this incident. That’s like a murderer complaining about living in prison and blaming it on police on the rationale that had the police not arrested him, he wouldn’t be in prison.

Visa and American Express did not fire CardSystems because they disclosed. For that matter, Visa and Amex didn’t even fire CardSystems because they were the victim of a criminal attack.

Visa and Amex fired CardSystems because CardSystems had blatantly violated two critical conditions of their contracts. Those violations were discovered because of the investigation of the break-ins, but that’s beside the point.

CardSystems’ two crimes were allowing the credit card data files to be readable (not encrypted) and keeping on file some consumer-identifying data from the cards’ magnetic stripes. That’s why CardSystems is in trouble, and no clever PR spin should allow us to forget that.

But CardSystems certainly had no monopoly on PR spin at Thursday’s hearing. Isn’t it remarkable that both American Express and Visa both decided on Tuesday to terminate CardSystems for this months-old incident?

It’s more remarkable yet when you remember that they were both testifying before the committee on Thursday morning, so Tuesday announcements would be in the papers the day before the hearing, which is when committee aides are preparing the House representatives.

There’s no doubt that the contract violations were the underlying reason for the terminations, but the timing of the hearing was certainly a factor. Gotta look like you’re trying your best when facing members of Congress looking for a scapegoat.

Speaking of scapegoats, a new player was introduced into this mess Thursday, and it was Cable & Wireless Security, now owned by Savvis Communications. Cable & Wireless had performed an audit on CardSystems long before the incident, and that glowing audit report is what Visa pointed to as the reason it welcomed CardSystems into its group.

Quickly sensing a better scapegoat (political note: the best scapegoat is always the one not in the room), it seized on Cable & Wireless’ audit as the problem here. Gosh, implied CardSystems’ CEO, had only Cable & Wireless been doing its job, it would have discovered how lousy a job I was doing, and none of this would have happened. Shame on them!

In fairness, Cable & Wireless Security may indeed have missed some things in its audit, but when we spoke with the executive in charge of that auditing team (who apparently hadn’t known of the congressional testimony until we called and brightened his day), he was quite convincing that the problems didn’t exist on the machines they examined when they examined them.

This gets us into the age-old?and difficult to fix?problem with any kind of auditing. The auditor works for the company being audited. The auditor is allowed to examine only what the audited company provides. If Cable & Wireless was told that these machines over here were the only ones used for handling Visa transactions, they were limited to exploring those machines.

Even if those were the correct machines, it’s only a snapshot of the days the audit happened. If the company starts getting sloppy (or worse), the day after the audit is completed, the auditor can’t be blamed.

Visa also cited a lack of cooperation from CardSystems as one of its reasons for severing its relationship. (As a reporter who has never received a call back from CardSystems, I’ll try not to comment that those charges certainly seem easy to believe.)

CardSystems defended its shortfall of answers to Visa by saying that some unidentified former employees of Cable & Wireless couldn’t be found to answer those questions.

Cable & Wireless said no such people exist. The audit team consisted of four people, three of whom are still with the company, while the fourth left recently and is very easy to find.

Perry’s point about the disincentives to disclose, however, is quite valid. Without a new law, these kinds of incidents won’t happen less frequently. They’ll merely be disclosed less frequently.

It’s like the sleight of hand of the FBI’s crime statistics. Television anchors typically say those numbers mean that the number of murders or burglaries or whatnot has gone up or down, but that’s not at all what the reports say.

They merely say that the number of crimes reported and classified as murders or burglaries have gone up or down. There are lots of reasons why reports go up or down having little to do with the actual crime going up or down.

There’s no question that lots of finger-pointing surrounds this problem, along with seemingly contradictory information. And there’s also no question that it wouldn’t be any better if it had all happened in secret.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.