Friday , March 29, 2024

CardSystems Breach Could Lead to Tougher PCI Enforcement

The major breach of credit card account data revealed over the weekend, the latest in a string of such incidents over the past six months, may lead to tougher enforcement of data-security standards by the card companies, experts say. The breach, which exposed cardholder names, account numbers, and card verification values linked to some 40 million accounts and held at Card Systems Solutions Inc., Tucson, Ariz., is the first to have occurred at a third-party merchant-acquiring processor, and as such could also cast a spotlight for the first time on data practices at transaction processors that serve acquiring banks and independent sales organizations. So far, known hacking incidents compromising card data have occurred at retail chains, including incidents earlier this year at Polo Ralph Lauren and DSW Shoe Warehouse (Digital Transactions News, April 19). But the Payment Card Industry data-security standard (PCI), which Visa U.S.A., MasterCard International, Amercian Express Co., and Discover Financial Services Inc., and other card companies settled on in January to set requirements for the handling of card data, applies as much to third-party processors as it does to retailers, experts say. “Payment processors have been under the same deadlines and requirements [as merchants],” says Mike Petitti, senior vice president of marketing at Chicago-based AmbironTrustWave, a firm that audits financial-services companies for compliance with PCI. “They are just as much a risk as larger merchants.” Indeed, the deadline for both major merchants and third-party processors to show compliance passed last September 30. At that time, the card networks had individual security standards that have since been harmonized into PCI. The standard includes requirements for data encryption, network access, and other protocols to protect card information. Internet merchants face a June 30 deadline for PCI compliance. Petitti says the apparent failure at CardSystems, which processes $15 billion in card transactions annually for more than 100,000 small and medium-size merchants, to follow the standard will likely lead to beefed-up enforcement across the board from the card companies once they are past dealing with the looming June 30 PCI deadline. “Visa and MasterCard may take another look and say there are some things we might want to do differently,” he says. “We've seen too many things happen in the last six months or so, and the things that get reported are only a fraction of what actually takes place.” MasterCard reported late Friday that it traced suspicious transaction activity last month to CardSystems where, working with the processor, it identified a rogue set of code that had infiltrated the processor's system and gained access to files containing card-swipe data on 40 million accounts, of which 13.9 million were MasterCard accounts. The remainder belonged to Visa and other card companies. Later the processor said it could substantiate that data had actually been stolen on about 200,000 accounts; MasterCard said this included 68,000 under its brand. CardSystems had been improperly storing the data to support an internal investigation of why certain transactions had not been authorized or had not been completed, the company said over the weekend. The number of fraudulent transactions that have occurred because of the hack, as well as the dollar losses sustained, remain unclear. The widespread publicity surrounding the incident has reportedly fueled an opportunistic phishing attack in which consumers are receiving e-mails asking them to confirm sensitive details about their MasterCard accounts.

Check Also

Buying Groups Might—or Might Not—Give Merchants More Negotiating Power with the Card Networks

Card-acceptance costs and network rules weren’t the only subjects covered by the sweeping settlement revealed …

Digital Transactions