(March 22, 2006) In the spin-the-bottle game of assessing blame for the massive debit card breach that has compromised an estimated 600,000 accounts, point-of-sale software developer Fujitsu Transaction Solutions Inc. late last week suddenly found itself the recipient of unwelcome publicity when its name came up in a Visa USA alert about card security. This week, Fujitsu executives are engaged in damage control by disputing the Visa memo, which they say unfairly cast aspersions on their point-of-sale software. At the same time, the brouhaha is casting a spotlight on an obscure software module that has the ability to store card information.

Visa’s memo came to light in The Wall Street Journal March 17. Though Visa hasn’t disclosed it publicly, the Journal claimed to have reviewed it and said Visa warned about older versions of Fujitsu software products RAFT and GlobalStore. According to the Journal, Visa issued the warning after it was made aware of an incident that involved the software and data retention, though the card association didn’t specifically tie the Fujitsu products to the breach. In the breach, hackers not only obtained debit card account numbers, but also the encrypted personal identification numbers and the so-called keys needed to de-encrypt the PINs. Thus armed, they created bogus debit cards and withdrew cash at ATMs in several countries before the affected banks caught on and canceled the cards. Investigators believe the breach happened at a retailer or processor, though details haven’t been confirmed.

But Ed Soladay, chief operating officer at Frisco, Texas-based Fujitsu Transaction Solutions, tells Digital Transactions News that Fujitsu’s products don’t store PINs or other sensitive data. Visa’s memo “was misleading” because “in the context used in the alert one could read that and [conclude] that this was the cause of the security breach,” he says.

Soladay notes that both RAFT and GlobalStore are upgraded continually and are compliant with the Payment Card Industry (PCI) security standards. About 130 mostly large retailers worldwide use the software to handle POS functions, including payments. “We’ve been in contact with all of our customers,” Soladay says. “We have not had any kind of report from any of our customers about any kind of security breach.”

Soladay says Fujitsu executives “have been going back and forth” with Visa ever since the memo’s existence became public, but he sounded a conciliatory note. “I’m not sure Visa meant it that way,” he says. “We’re just in continual dialog with those guys. We’re trying to make sure they understand everything with our software.”

Visa didn’t talk with Digital Transaction News, but a spokesperson sent a statement explaining the memo. “Visa has a responsibility to protect cardholder information,” the statement says. “In instances where any point-of-sale software or modification of it has a potential to put cardholder data at risk, Visa issues alerts to its member financial institutions so that they can take action to prevent the storage of such data. In this instance, we provided a confidential alert to a limited number of financial institutions advising them that a particular configuration of certain software could cause it to store cardholder data. We further advised them of the existence of a software upgrade designed to address the problem.”

Even if Fujitsu’s software isn’t at fault, the flap is providing some possible clues about the breach by bringing to light the role of obscure but important pieces of software called “tracer” utilities that can store account numbers and PINs. While RAFT and GlobalStore don’t store such data, tracer utilities available to test those programs and others when they are installed can, technology experts say. The purpose of a tracer is literally to trace test transactions to make sure the system is working properly. Fujitsu offers its own tracer utility called TRACEMON to retailers who ask for it, but tracers can be obtained from third-party vendors or downloaded from the Web.

Since these utilities are capable of storing cardholder data, Fujitsu urges its customers to delete their tracers as soon as testing is done, Soladay says. “We certainly would strongly recommend that,” he says.

Bill Pittman, president of Redmond, Wash.-based payment software provider TPI Software LLC, says tracers are problem-identification tools that programmers developed to see all transaction communications in raw form. “The intention was debugging, but if it falls into the wrong hands …,” you’ve got problems, he says.

Indeed, the hacking stunned card-industry security executives because of the theft of not only encrypted PINs, but also the electronic means of de-encoding them. Some experts believe one or more insiders must be involved.

Fujitsu Transactions Solutions is owned by Japan-based Fujitsu Ltd.