CardSystems Takes Heat for Breach; Praise for Card Companies

Also Thurs., Reps. Pryce (R-O.), Castle (R-Del.) and Moore (D-Kan.) introduced data security legislation to define “harmful” breaches, create a national notification standard for affected customers, and include 3rd party companies under requirements to monitor credit reports of affected customers for suspicious activity. Reps. LaTourette (R-O.) and Hooley (D-Ore.) dropped a competing bill Thurs. that would mandate a national notification standard, free 12-month credit monitoring for consumers at “significant risk” from breaches, and detailed descriptions of breach circumstances and remedial efforts for consumers.

Members made clear early they weren’t looking to horse-whip card firms for the CardSystems breach. MasterCard in particular drew praise for revealing its processor’s breach when it was “really under no direct obligation to do so,” said Rep. Garrett (R-N.J.). Rep. Bachus (R-Ala.) was the sole defender of CardSystems, saying it was a “victim” deserving commendation for disclosing its breach. “In the aftermath of this hacking incident, I think the system worked well,” he said.

The system’s most vocal critic, Rep. Maloney (D- N.Y.), said CardSystems “appears to have been absolutely clueless for months” on the breach of its system. A script that exports magnetic stripe data to an FTP site was found last month on CardSystem’s platform, but was determined to have been installed in Sept. The incident and a recent rash of data brokerage firm breaches show the industry needs “more regulations, more enforcement and more penalties,” Maloney said. She didn’t exempt regulators, saying they “played ‘pass the hot potato’ with this whole incident.”

Rep. Price (R-Ga.) begged Maloney and others to “lower the rhetoric,” calling such proposals “oftentimes the knee-jerk reaction” to complex incidents. Moore urged caution: “Sometimes when Congress sees a problem, they overreact,” sparking crowd laughter.

CardSystems CEO John Perry took hit after hit from members, as they continued to thank Visa, MasterCard and Discover Card witnesses for their security policies and quick disclosures. Perry went into detail on the breach: Someone placed a script on the CardSystems platform through a Web-based customer access application in Sept. The script was set to run every 4 days extracting, zipping and exporting track data from magnetic stripes on cards to an FTP site. The firm has confirmed only a single incident of data export, on May 22, involving 239,000 “discrete account numbers.” The data didn’t include Social Security numbers (SSNs), meaning there’s “virtually no risk” of identity theft, as opposed to short-lived card fraud, Perry said.

Ranking member Gutierrez (D-Ill.) said he was baffled by Perry’s chronology, asking how CardSystems could take so long to detect the exporting script and why a hacker would wait 8 months to steal data. Gutierrez also flamed CardSystems for holding data clearly prohibited under Visa and MasterCard’s security policies. The exported data consisted of incomplete transactions, Perry said, and CardSystems has “repeatedly acknowledged” it shouldn’t have had them. Merrick Bank Chmn. David Watson, whose institution sponsored CardSystems to process Visa transactions, said they had learned CardSystems had kept such information since 1998.

The bad publicity CardSystems has earned from telling card companies of the breach will set a poor example for inevitable future breaches, Perry said. The 115-employee firm is “being driven out of business” by the scandal, which will serve only to keep breaches secret: “Other companies will have less incentive to come forward,” seeing the treatment CardSystems has gotten. He said though Visa said it would drop CardSystems, the card company scheduled a meeting to discuss the problems. CardSystems soon will be in compliance with the Payment Card Industry Data Security Requirements (PCI), an industrywide extension of Visa’s Cardholder Information Security Program (CISP), Perry added.

Privacy Times editor Evan Hendricks didn’t buy CardSystems’ pleas: “Some companies won’t have added security unless they're forced to” by law, which at minimum should require companies to encrypt customer data for which they have no immediate need. Hendricks said those claiming credit card transaction data aren’t as useful to thieves as SSNs underestimate the craftiness of hackers, who have been known to create SSNs in part from stolen credit card data.

Auditors’ role in verifying 3rd party processors for card companies was on members’ minds. Subcommittee Chmn. Kelly (R-N.Y.) asked Steve Ruwe, Visa exec. vp-operations & risk management, how Cable & Wireless, the firm that initially audited CardSystems, got on the card company’s list of approved auditors. She noted Cable & Wireless was acquired by Savvis Communications last year after filing for Chapter 11 bankruptcy, and that some “discrepancies” in its auditing practices came up. Ruwe said Visa temporarily suspended its traffic with Savvis pending an inquiry. Kelly then asked if the auditing industry follows basic standards, receiving affirmation from witnesses, but then said each firm should go beyond an industry minimum with its own proprietary rules. Zyg Gorgol, American Express senior vp-fraud risk management, said Amex’s security standards are included in contracts with auditors, and consequences for failure to follow them “do have teeth.” Gutierrez praised Kelly’s queries, saying “our checks and balances are all out of whack.” He asked Ruwe to provide details of its auditing process in writing.

Rep. McHenry (R-N.C.) asked witnesses if market forces provide enough impetus for card companies and processors to make sure data are secure. They all said “yes,” but Perry added that a more accurate term would be “negative market force,” saying the hits breached companies have taken have exceeded any security gains by firms. Data broker Choicepoint said Wed. in 2nd quarter financials that its 145,000-customer breach cost $6 million (see separate story). Perry said he doubts continued high-profile breaches will convince every company’s executive leadership to improve security procedure. He said he knows security officers fighting with their executives to fund better security.