CardSystems Hearing Reveals What Happened, But Not What To Do

WASHINGTON – Executives from the major card brands as well as CardSystems Solutions spent over four hours last week testifying before the House Financial Services Committee’s Subcommittee on Oversight and Investigations about how up to 40 million credit and debit card accounts were compromised in the industry’s biggest card security breach to date. But while the hearing brought to light how the breach happened, none of the legislators appeared close to figuring out what to do about preventing another, similar, breach in the future. First, how it happened. The card data security breach at the Atlanta-based CardSystems that exposed potentially millions of cardholders to potential credit card fraud came about from a computer script that was implanted in its computer programming, John Perry, CEO of CardSystems told the legislators in the July 21 hearing. “This script ran on our system and caused records to be extracted, zipped into a file, and exported to an FTP site (similar to a Web address). It was a sophisticated script that targeted a particular file type, and was scheduled to run every four days,” the CEO said in testimony prepared for the hearing. Perry said that the company had only identified one day, May 22, when it was positive that data was downloaded, but he also said that the script had been on its system since September, 2004. Under sharp questioning from legislators, he acknowledged that a script which was scheduled to run every four days surely would have downloaded more data than has been identified so far and that the ultimate scope of the damage might not be known for months. Commenting after the hearing Barry Smith, President of Bankcard Fraud Solutions, a noted card security consultant, noted that it was possible, for example, that the malicious script included the ability to “clean up” after itself once it downloaded the data. In other words, the May 22 download might just have been the last one in the string and therefore the only one that could be found. Another mystery was how Visa came to recognize and approve CardSystems Solutions as a card processor at all. Perry told the hearing that his firm had been audited by Cable and Wireless, a Visa approved firm, in late 2003. The Cable and Wireless audit found that CardSystems was compliant with Visa’s Card Information Security Program, the card brand’s card security standard. CardSystems paid for the Cable and Wireless audit, which was forwarded to Visa and which the firm used to draw its banking clients. Perry’s prepared statement did not address why the Cable and Wireless audit did not identify that the firm was storing card data on its system in violation of Visa and MasterCard rules and he was unable to clarify it under questioning from the legislators. No one from Cable and Wireless, which is headquartered in Britain, appeared at the hearing and Visa said it was investigating further. In case anyone misunderstood, Perry made sure the Subcommittee understood that his firm’s demise is imminent if Visa and American Express do not allow the firm to reach the card industry’s data security standard by August 31. The two card brands have said they will not process with CardSystems any longer, accounting for more than 50% of the firm’s card transactions. Perry said that Visa officials on the morning of the hearing had signaled that they might reconsider their decision and he pointed out that if his firm closes its doors it will not only send a negative signal to other processing firms but also cause business losses to thousands of firms. “Choosing a card processing firm is not as simple as choosing to change phone companies,” Perry said. “It takes time and can cause significant disruption and losses to a merchant’s operations.” Executives with both CardSystems and Visa met recently with Representative Rick Renzi (R-Ariz.) who said he had received assurances from both firms that CardSystems would reach the card industry data standard by August 31. But at the hearing the best that Visa executives would promise was to meet with CardSystems executives, not to allow their company to keep going. In the end the hearing was long on statements and questions but short on answers, hard plans or legislative proposals as Subcommittee members remained sharply split, generally along party lines. Democratic representatives called for increased regulation to and additional legislation to address the problem while Republican representatives called for restraint to allow the market to play the proper role in regulating card processing behavior. If a card processor does not suitably protect data, Representative Patrick McHenry (R-N.C.) pointed out, banks will not want to work with them and merchants will shun them. The market can better address these problems; regulation might just make things worse, McHenry said. But Representative Debbie Wasserman Shultz (D-Fla.) said that the security of card information had been one of the topics her office had heard most about from her constituents this year and that it would only be a matter of time before the card breaches undermined consumer confidence in cards. There might not be time for the market to respond, she declared. [email protected]