ARLINGTON, Va. - As more time has passed since the CardSystems data security breach, the fallout indicates that the threat of wide-spread card information risks may be with credit unions for a long time and that there may not be much they can do about it. The latest item leading to that suspicion has come in the form of a report from the influential Gartner Group which made the case that the CardSystems breach represents a broad and widespread failure in the card industry to address its security risks. While Visa in particular has denied the allegations in the report, there is a consensus among many industry security experts that credit unions best options may be to prepare for the reality that similar breaches may be part of the industry's future for some time. The CardSystems breach earlier this year was the largest card information security failure to date, caused by a piece of computer code which had been introduced into CardSystems computers. The malicious code was programmed to periodically download card information to an unknown party and, in this way, perhaps up to 40 million card numbers had been compromised. Credit unions around the country, which often have card portfolios that are too small to risk too great an exposure to frauds, have been canceling and reissuing cards rapidly at expenses running into the millions of dollars. In its early August report, Gartner wrote that the responsibility for its breach did not rest with CardSystems alone but includes other firms as well. "In fact, the CardSystems breach highlights the failure of a complete industry security ecosystem that includes many players, including auditors, merchant and card issuing banks and the credit card associations themselves," the research firm wrote. The report took an especially dim view of the Payment Card Industry (PCI) security and audit standards that were recently widely adopted. "Gartner believes that the PCI audit process has been shallow, random and incomplete, and that the card industry needs to accept responsibility for a weak audit process based on overly general standards that need to be updated and strengthened with more details based on practical implementation issues," the company said in a synopsis of the report. "The fallout and penalties from this incident should not only be levied on CardSystems, but also on Visa and MasterCard, and their approved auditors." The report also found PCI standard's 12 rules and 200 detailed requirements fall far short when it comes to implementation issues, reflecting the fact that in most areas, companies cannot comply with the letter of the law and must ask for acceptance of mitigating controls. "Mitigating controls are subject to many different interpretations, leading to uneven security standards," the firm said. Visa has strongly contested the Gartner report, pointing out that the security breach occurred because a firm had not been following the PCI standard. But the card brand has been silent on the revelation that CardSystems had been audited for compliance with Visa's security standards by an approved auditor, Cable and Wireless, and the auditor had approved the firm's safeguards. The report and the ongoing investigation into the CardSecurity case has led several card security experts to advise credit unions to pay close attention to what they can do to protect themselves from fraud which may be just about inevitable. "We are definitely advising credit unions to start using Falcon or a neural network program as soon as they can, if they haven't begun already," explained Tim Kaliban, a card security expert with Certegy, the card processor for roughly 4,000 credit unions. Kaliban explained that the use of Falcon, which is the neural network Visa advises using, provides credit unions some of the best protections and alerts should card data thieves start using card information that they might have stolen weeks and months before. "The problem is that every card breach is going to be a little different and so it's important for credit unions to get some basis and comprehensive systems into place that can address more than one sort of breach," he said. In addition to Falcon, both Kaliban and Barry Smith, president of Bankcard Fraud Solutions, urged credit unions which issue Visa to take advantage of Visa's new Advanced Authorization system which will score the authorization in real time (before the authorization transaction is passed to the issuer or processor). Visa has also begun including an indicator telling you the account number had been part of a known compromise. This new system is demonstrating a significant lift when the scores and Reason Codes are passed to the Falcon system and rules are written against the data, Smith explained. Smith and Kaliban also made it clear that the protections against fraud were going to be a mixture of the new technology like Falcon and Advanced Authorization but also older, tried and true approaches like staff screening, staff training and routine security precautions such as card activation, sending letters to the old address to confirm address changes, low cash advance limits and limited number of cash advance transactions in the same day. Greater Fraud In PIN Transactions? Smith also warned that as stealing credit card data and committing credit card fraud became more difficult, card thieves and fraudsters would move to other card products, such as those which use personal identification numbers. "We are now seeing large fraud losses from PIN-based debit and ATM accounts," Smith said, an unfortunate development since PIN transactions have been considered a "safe haven" for issuers because the number provided protection from fraudsters. But recent phishing and other types of consumer fraud are capturing account numbers, expiration dates and the PIN, Smith explained, making their fraud easier. "They aren't getting the security codes (CVV/CVC) from the magnetic stripes, but too many credit unions have not told their processors to check those codes when processing PIN transactions. This leaves these cards needlessly vulnerable just as though they didn't have the codes," Smith explained. Smith said that when his firm, BFS Consulting, began investigating the ATM fraud from Romania and Bulgaria, they found the transactions did not have a valid CVV/CVC code. Further investigation found that many CUs route PIN-based debit and ATM transactions through processors without validating the CVV/CVC codes in the magnetic stripes. These credit unions have become targets for phishing attacks and PIN-based fraud, he explained. The security codes on the back of cards are the first line of defense for counterfeit fraud, Smith said, for all cards. Credit, signature debit, PIN debit, ATM debit and ATM cards must be protected against counterfeit fraud through validation of the CVV/CVC codes on the magnetic stripe. Smith said his firm had begun recommending 100% validation on all plastic products and urging credit unions whose processors cannot authorize using the security codes to start routing them through Visa Net or find a processor which can. -

[email protected]