Visa, Amex To Drop CardSystems
Transaction processor hasn't done enough to shore up security after exposing 40 million accounts to possible theft, credit-card companies say
Visa USA Inc. and American Express Co. are cutting ties with CardSystems Solutions Inc. after a security breach at the card-payment processor exposed more than 40 million card accounts to potential fraud. It was one of the largest data-loss and -theft incidents to hit banks, information brokers, and retailers this year.
Visa said last week that it was terminating CardSystems as a Visa processor, citing violation of Visa's rules for protecting cardholder data. Visa has given banks until Oct. 31 to cease processing transactions through CardSystems. American Express is terminating its relationship with CardSystems, also effective in October. The processor handles less than one-half of 1% of American Express transactions, a spokeswoman says.
CardSystems was verified as compliant with Visa's Cardholder Information Security Program in June 2004 but was later declared out of compliance when it was discovered that it was inappropriately storing cardholder data. "CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts," a Visa statement says. CardSystems "knowingly retained unmasked magnetic-stripe cardholder data, purportedly for 'research purposes.'"
Last week, MasterCard International Inc. said it wasn't aware of any deficiencies in CardSystems' operations that could not be corrected and that CardSystems had stopped storing sensitive data in accordance with MasterCard rules. But CardSystems must demonstrate that it's in compliance by Aug. 31 or its status as a MasterCard processor may be in jeopardy.
CardSystems has hired an IT-security-assessment firm, AmbironTrustWave, and said it would comply by Aug. 31 with Visa and MasterCard security programs. Those programs incorporate the Payment Card Industry Data Security standard, which requires merchants and processors to implement access-control measures, perform regular network monitoring and testing, and develop an information-security policy.
About the Author
You May Also Like
2024 InformationWeek US IT Salary Report
May 29, 20242022 State of ITOps and SecOps
Jun 21, 2022