Credit card processor
CardSystems is likely
to close following last month's theft of 40 million client
records. The company lost two of its main customers last week,
Visa and
American
Express.
CardSystems chief executive John Perry told the
US House of Representatives
last week that the firm will "be forced to permanently close its doors" unless
the two credit card companies reconsider.
Perry testified in a hearing about the security of credit card processing for
a subcommittee on financial services. A PDF of his testimony is available for
download
here.
Visa sent a memorandum last week to inform banks that the credit card
provider plans to cancel its contract with CardSystems.
"In violation of Visa's rules [CardSystems] did not have the appropriate
controls in place to protect cardholder information," Rosetta Jones, vice
president for Visa, told
vnunet.com.
"Despite some remediation actions taken by the processor since the initial
reporting of the data compromise, Visa cannot overlook the significant harm that
the data compromise, and CardSystems' failure to maintain the required security
protection, has had on Visa member financial institutions, merchants and
cardholders."
American Express followed Visa's example, while
MasterCard
has extended its deadline until 31 August for CardSystems to prove that it
complies with the firm's security requirements.
In what is believed to be the largest case of identity theft in history,
hackers stole 40 million client records from CardSystems' database. MasterCard
made the case public after its fraud fighting tools pointed out the hack.
CardSystems stored data in such a form that the hackers were able to trace
the information back to individual accounts.
Perry acknowledged that this was in violation of the security standards
demanded by Visa and MasterCard, and testified that the firm no longer stores
such 'track data'.
The breach of CardSystems' computers dated back to September 2004, when a
script was installed on its servers that periodically looked for specific file
types.
"We know for certain that three files were wrongfully removed from the
CardSystems platform," said Perry. The three files contained a total of 263,000
records for 239,000 account numbers.
Do you agree?
Have your say on this article