Print this article  |  E-mail this article  |  Comment on this article

Visa, Amex Cut Ties with CardSystems

By David Worthington, BetaNews

July 21, 2005, 9:13 AM

In a first of its kind move, Visa USA and American Express Co. have dropped the hammer on an affiliated payment processor several months after its was revealed that a massive security breach exposed the records of millions of its cardholders.

CardSystems Solutions put the account information of approximately 40 million credit card holders at risk for fraud by mishandling data stored in its database. Customers' names, credit card numbers and expiration dates were revealed in the breach.

Of those 40 million, 200,000 were marked as being at high risk for fraud: 100,000 Visa cards, 68,000 from MasterCard, and 30,000 cards from other credit card companies that use CardSystems to process transactions. The breach was the largest of its kind ever to be reported.

Associated instances of fraud have already been uncovered.

A spokesperson for American Express has stated that it will sever its relationship with CardSystems as early as October. The spokesperson declined to provide any further comment.

Visa was more vocal in a memorandum that it sent to its participating banks. "CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts," said Tim Murphy, Visa's senior vice president for operations. "Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system."

American Express and Visa expect that merchants and cardholders will continue to experience normal service despite their decision to bar CardSystems from processing their transactions.

Although it did not say whether it would follow Visa's lead, a spokesperson for MasterCard told BetaNews, "MasterCard’s acquiring banks are fully aware that we are working with CardSystems to bring their systems into compliance in as short a time as possible. However, if CardSystems cannot demonstrate that they are in compliance by that date, their ability to provide services to MasterCard members will be at risk."

MasterCard is holding weekly meetings with CardSystems Solutions to monitor its progress in drafting a detailed plan to meet its MasterCard security requirements by August 31, 2005. MasterCard says that it is not aware of any deficiencies that are incapable of being remediated.

A spokesperson for Discover Financial Services, which also uses CardSystems to process transactions, could not be reached by press time.

Some industry watchers see the move as a prime example of industry self regulation.

"Visa's decision sends a strong message to the industry about their willingness to enforce the PCI Data Security Standard to the fullest extent. We'll see if MasterCard and American Express follow suit," Jeremiah Grossman, Chief Technology Officer of WhiteHat Security, told BetaNews.

In June, the U.S. government's Federal Financial Institutions Examination Council began investigating the network security systems and data handling practices of CardSystems. The FBI has launched a separate investigation.

CardSystems is accused of centralizing all of its accumulated account information onto a single server for research purposes, in violation of the security protocol and policies of nearly all credit card companies.

Hackers obtained access to the server and placed a downloader that transmitted credit card data.

CardSystems Solutions has been providing services to credit card companies for nearly 15 years and has processed as much as $15 billion in transactions annually. The company is privately held and is based in Tucson Arizona.

A CardSystems spokesperson did not respond to requests for comment in time for publication.

Add a Comment (8 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Firef0x

posted Jul 22, 2005 - 12:21 PM

Sounds logical to me. They should have pulled the plug way early before this huge disaster took place. They violated the security protocols, how can anyone even try to defend them? Or what basis can they have in defending themselves when they have made such a violation in security protocols?

I wouldnt be surprised if CardSystems fade off or goes bankrupt soon.

Score: 0

By animecabbit

posted Jul 22, 2005 - 5:12 AM

The credit card companies cant' pull out immediately, there's too much money involved to totally cut the cord.

Can you imagine how much money they'd lose if one of their major source of CC sales were cut? They'd stop making the 2.x percent off every company that accepts their cards. That amounts to ALOT of money.

BTW, it's illegal to charge a premium to use CC or to allow a "cash discount", however, the CC companies feel it's fine to charge their customers?!?

Score: 0

By ir0nw0lf

posted Jul 22, 2005 - 2:14 PM

"BTW, it's illegal to charge a premium to use CC or to allow a "cash discount", however, the CC companies feel it's fine to charge their customers?!?"

Guess what, it is and it isn't. <-- Huh? We have local County/State offices that accept credit cards for payment, they make you pay a "convenience charge" to use your credit card, which is a way around a credit card surcharge or "premium," either legally or not. Many companies in magazines mention in fine print "prices reflect x% cash discount." Guess what, they get away with it...

Score: 0

By dahri

posted Jul 22, 2005 - 12:24 AM

wow, after 15 years and they screw it up, now they're in the middle of a breakdown.
but then again, keep in mind that it's difficult to migrate to a new system, the migration would cost them (Visa, Amex, MasterCard, etc.) more, and that is something to reconsider.
They'd have to evaluate the new system, will it be safer and better or at least of the same quality to CardSystems.
This can affect the customers' experience. I just hope it's not severe.

Score: 0

By Tabasco221

edited Jul 21, 2005 - 8:54 PM

I work at a financial institution. We mailed letters to nearly 4,000 affected by the CardSystems Solutions security breach. The letter specifically states that their card will be canceled. What a headache this incident has been for the financial industry. Not to mention the card holders that it effected while they are on vacation trying to use their cards.

We did apologize for the inconvenience and explain that these steps were taken to protect them as well as the financial institution from unauthorized usage.

Score: 0

By kholdstare

posted Jul 21, 2005 - 12:33 PM

if i were a credit card company I would pull out. I can't beleve they put almost all the credit card information on one computer

Score: 0

By azimov

posted Jul 21, 2005 - 12:05 PM

they are being punished, they will be out of business before the year is out. If I was working there, I would be planning my exit soon.

Score: 0

By drumcat

posted Jul 21, 2005 - 10:35 AM

Good. They violated everyone's trust. They should be punished.

Score: 0

Oct 15 - 8:58 PM ET Gartner: Acer gains big worldwide, Apple gains in US

Oct 15 - 8:55 PM ET FileMaker Bento 2 offers a spreadsheet feel, more app integration

Oct 15 - 8:40 PM ET EBay warning: A cloudy Christmas weather forecast

Oct 15 - 5:10 PM ET Yahoo usability tests bode ill for OpenID takeup

Oct 15 - 5:07 PM ET 802.11n chipset maker promises 600 Mbps throughput

Oct 15 - 5:03 PM ET Firefox 3.1 Beta 1 is the beginning of something...just a beginning

Oct 15 - 4:55 PM ET New legislation could postpone February DTV transition

Oct 15 - 1:50 PM ET Nvidia announces 9400M integrated GPU

Oct 15 - 1:11 PM ET The Windows name: Is there special significance to '7?'

Oct 15 - 1:08 PM ET With increasing traffic, AOL eyes 'social network aggregation'