Visa, Amex To Drop CardSystems

Visa USA Inc. and American Express Co. are cutting ties with CardSystems Solutions Inc. after a security breach at the card-payment processor exposed more than 40 million card accounts to potential fraud. It was one of the largest data-loss and -theft incidents to hit banks, information brokers, and retailers this year.

Visa said last week that it was terminating CardSystems as a Visa processor, citing violation of Visa's rules for protecting cardholder data. Visa has given banks until Oct. 31 to cease processing transactions through CardSystems. American Express is terminating its relationship with CardSystems, also effective in October. The processor handles less than one-half of 1% of American Express transactions, a spokeswoman says.

CardSystems was verified as compliant with Visa's Cardholder Information Security Program in June 2004 but was later declared out of compliance when it was discovered that it was inappropriately storing cardholder data. "CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts," a Visa statement says. CardSystems "knowingly retained unmasked magnetic-stripe cardholder data, purportedly for 'research purposes.'"

Last week, MasterCard International Inc. said it wasn't aware of any deficiencies in CardSystems' operations that could not be corrected and that CardSystems had stopped storing sensitive data in accordance with MasterCard rules. But CardSystems must demonstrate that it's in compliance by Aug. 31 or its status as a MasterCard processor may be in jeopardy.

CardSystems has hired an IT-security-assessment firm, AmbironTrustWave, and said it would comply by Aug. 31 with Visa and MasterCard security programs. Those programs incorporate the Payment Card Industry Data Security standard, which requires merchants and processors to implement access-control measures, perform regular network monitoring and testing, and develop an information-security policy.