The following text is copyright 2005 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
The winner so far: CardSystems Solutions
By Scott Bradner
We have a new leader in the race to see what vendor can quantitatively show the least regard for the people whose data they hold. CardSystems Solutions, a third party credit card processor, has now admitted disregarding the credit card industry security rules they should have been following. In light of such a willful disregard of mandated rules I do not understand why CardSystems Solutions is still in the credit card processing business.
Some leaders of the credit card industry have been telling congress that laws mandating that people whose private data might be at risk due to a failure of computer or organizational security be told of the risk are a bad idea. They have claimed that people would soon become overwhelmed by all the notices, and give up. The industry seems determined to test that hypothecs. For the last few months there has been a steady drumbeat of announcements, most of not all driven by the California law that requires such announcements when the privacy of people's financial information is at risk.
So far, people and the news media are still interested, at least in the big cases such as the recent news that some hacker had gotten access to information about 40 million credit card holders at CardSystems Solutions (http://www.cardsystems.com/). I do wonder what the reaction to a future breach exposing a mere 5 million people.
The announcement of the break in at CardSystems Solutions came from MasterCard but holders of all the major brands of credit cards were at risk. Visa seemed a bit ticked off that MasterCard has spilled the beans. Visa said that they were working with law enforcement and they hoped that MasterCard telling its card holders the truth would not hinder the investigation. Seems to me that Visa's priorities are misplaced, in my opinion hiding the truth in the name of law enforcement is an excuse to delay taking responsibility.
MasterCard reported that CardSystems Solutions did not meet the current Payment Card Industry (PCI) Security Standard. These mandates (usa.visa.com/download/business/accepting_visa/ ops_risk_management/cisp_PCI_Data_Security_Standard.pdf), which are actually quite good, were supposed to be in effect at companies the size of CardSystems Solutions last September (http://www.merchante-solutions.net/infosecurity/mandates.htm). Yet half a year later a company processing millions of credit cards per year was ignoring parts of the standard and has now admitted to doing so.
According to the payment card industry, failure to meet the requirements can result in a permanent prohibition of participation in credit card programs. If the payment card industry is as serious about security as they claim to be they will use this willful disregard of their own rules to send a message -- they will permanently ban CardSystems Solutions from processing credit card transactions. I do feel sorry for some of the people that work at CardSystems Solutions but not sorry enough to suggest that the company be given a slap on the wrist if they promise to be good in the future.
By the way, the PCI Security Standard goes into effect for all organizations that process credit cards in any way three days after this column is published. If you process credit cards, do not mimic CardSystems Solutions, meet the standard.
disclaimer: Harvard sets standards in some areas and follows them in others but the university has not expressed an opinion about CardSystems Solutions so the above suggestion is my own.