--- begin forwarded text
Delivered-To: [EMAIL PROTECTED]
Date: Fri, 22 Jul 2005 10:46:45 -0400
To: Philodox Clips List [EMAIL PROTECTED]
From: R.A. Hettinga [EMAIL PROTECTED]
Subject: [Clips] Credit Data Firm Might Close
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
http://www.washingtonpost.com/wp-dyn/content/article/2005/07/21/AR2005072102465_pf.html
The Washington Post
washingtonpost.com
Credit Data Firm Might Close
After Databases Hacked, Customers Cancel Contracts
By Jonathan Krim
Washington Post Staff Writer
Friday, July 22, 2005; D02
The head of a payment processing firm that was infiltrated by computer
hackers, exposing as many as 40 million credit card holders to possible
fraud, told Congress yesterday that his company is facing imminent
extinction because of its disclosure of the breach and industry's reaction
to it.
As a result of coming forward, we are being driven out of business, John
M. Perry, chief executive of CardSystems Solutions Inc., told a House
Financial Services Committee subcommittee considering data-protection
legislation. He said that if his firm is forced to shut down, other
financial companies will think twice about disclosing such attacks.
Visa USA Inc. and American Express Co. recently announced after
investigating the breach at CardSystems' Tucson, Ariz., facility that they
would no longer allow the firm to process transactions made with their
cards.
Atlanta-based CardSystems is one of several firms that serve as a
little-known hub in the nation's commerce system, transferring payments
between the banks of credit card-using consumers and the banks of the
merchants where purchases are made.
Perry called the decisions by Visa and American Express draconian and said
that unless Visa reconsiders, CardSystems would close and put 115 people
out of work. CardSystems handles only a small percentage of American
Express transactions, while Visa accounts for a large part of its business.
Perry said closing his company could disrupt the ability of merchants to
complete transactions, since it might take time for them to arrange for
alternate payment processors. For that reason, Visa said it is not cutting
off the company until Oct. 31.
While Perry said his company is doing everything it can to ensure that such
a breach never occurs again, Visa said it could not overlook that
CardSystems knowingly violated contractual requirements for how long credit
card data were supposed to be stored and how they were secured.
Rosetta Jones, a Visa USA spokeswoman, said after the hearing that the
credit card giant also has had difficulty getting sufficient information
from CardSystems since the breach occurred. Nonetheless, at the urging of
Rep. Rick Renzi (R-Ariz)., Visa agreed to another meeting with CardSystems
before it severs ties with the firm.
Neither Perry nor representatives of the major credit card companies could
explain at the hearing why an audit of CardSystems in 2003 did not address
its computer vulnerabilities or its practice of retaining some data for
research purposes.
Of the 40 million credit card numbers in CardSystems' data banks, roughly
240,000 are known to have been downloaded in May by the hackers, who
implanted malicious computer code into the company's network last fall to
gain access to the information.
The files did not contain Social Security numbers, driver's license data or
other personal information frequently targeted by identity thieves.
Perry said that he knows of no purloined credit card numbers that were used
fraudulently, although MasterCard -- which first announced the breach to
the public last month -- said that a small number of card numbers were
misused.
Law enforcement agencies, including the FBI, are investigating the incident.
Subcommittee members, while condemning the data breaches that have exposed
millions of consumers to possible fraud or identity theft in the past year,
disagreed on what Congress should do about it.
The CardSystems incident is a spectacular failure of private industry to
effectively secure personal data, Rep. Carolyn B. Maloney (D-N.Y.) said in
urging greater regulation. We need to provide the legal structure to fix
it.
In response, Rep. Tom Price (R-Ga.), admonished members against greater
regulation and greater penalties, which is oftentimes the knee-jerk
reaction to problems.
With numerous House and Senate bills already introduced to address identity
fraud and theft, and several more being prepared, both parties expect
legislative action.
Most bills would require disclosure of breaches, though the industry
supports limiting notification to cases in which there is significant risk
that the data could be used for fraud or identity theft.
Representatives of the credit card companies yesterday also supported
proposals to extend federal security requirements to payment processors,
not just banks and financial