Visa, Amex To Drop CardSystems

Transaction processor hasn't done enough to shore up security after exposing 40 million accounts to possible theft, credit-card companies say

Steven Marlin, Contributor

July 22, 2005

2 Min Read
InformationWeek logo in a gray background | InformationWeek

Visa USA Inc. and American Express Co. are cutting ties with CardSystems Solutions Inc. after a security breach at the card-payment processor exposed more than 40 million card accounts to potential fraud. It was one of the largest data-loss and -theft incidents to hit banks, information brokers, and retailers this year.

Visa said last week that it was terminating CardSystems as a Visa processor, citing violation of Visa's rules for protecting cardholder data. Visa has given banks until Oct. 31 to cease processing transactions through CardSystems. American Express is terminating its relationship with CardSystems, also effective in October. The processor handles less than one-half of 1% of American Express transactions, a spokeswoman says.

CardSystems was verified as compliant with Visa's Cardholder Information Security Program in June 2004 but was later declared out of compliance when it was discovered that it was inappropriately storing cardholder data. "CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts," a Visa statement says. CardSystems "knowingly retained unmasked magnetic-stripe cardholder data, purportedly for 'research purposes.'"

Last week, MasterCard International Inc. said it wasn't aware of any deficiencies in CardSystems' operations that could not be corrected and that CardSystems had stopped storing sensitive data in accordance with MasterCard rules. But CardSystems must demonstrate that it's in compliance by Aug. 31 or its status as a MasterCard processor may be in jeopardy.

CardSystems has hired an IT-security-assessment firm, AmbironTrustWave, and said it would comply by Aug. 31 with Visa and MasterCard security programs. Those programs incorporate the Payment Card Industry Data Security standard, which requires merchants and processors to implement access-control measures, perform regular network monitoring and testing, and develop an information-security policy.

Read more about:

20052005

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights