21 June 2005

Keystone Kop-Out

Perhaps it's as Abraham Maslow opined -- "If you only have a hammer, you tend to see every problem as a nail." As someone who deals with contracts every day, I tend to see contracts law in every topic. Yesterday, both Ars Technica and The New York Times covered the massive CardSystems Solutions data theft, which was finally revealed last week. I of course was drawn to a contracts angle in the controversy which was mentioned only in passing.

Contractual arrangements between the card issuers, including MasterCard and Visa, and transaction processors, such as CardSystems, prohibit the processors from retaining cardholder names, account numbers, expiration dates, security codes, and other information after completion of a transaction. A significant portion of the data lost by CardSystems comprises information improperly maintained by the company despite those contract prohibitions. According to The New York Times account:
[John M. Perry, CardSystems' CEO] said the data was in a file being stored for "research purposes" to determine why certain transactions had registered as unauthorized or uncompleted.

"We should not have been doing that," Mr. Perry said. "That, however, has been remediated." As for the sensitive data, he added, "We no longer store it on files."

. . . .

"CardSystems provides services and is supposed to pass that information on to the banks and not keep it," said Joshua Peirez, a MasterCard senior vice president who has been involved with the investigation. "They were keeping it."

So CardSystems improperly retained consumer data despite specific contract prohibitions . . . at least they'd take some care to protect that information, right? Not according to Ars Technica: "[T]he data was stored in an unencrypted file accessible from outside the company's network. As a result, an intruder was able to access CardSystems' network via a known and unpatched security vulnerability and make off with the data." Quoted by The New York Times, industry insiders pointed out the particular value of the lost information:
Mr. Peirez of MasterCard said that the data inappropriately retained by CardSystems was particularly sensitive because it included cardholders' three- and four-digit security codes, making it more attractive to potential thieves because it can double or triple the black-market value of a cardholder's account. Ms. [Avivah] Litan of Gartner said there was no reason for a processor to store security codes. "It's probably just laziness or they don't know the rules," she added.

Ultimately, if there's any consolation in all of this, it's that dumb luck sometimes protects us -- the personal data displayed by CardSystems like could have been much more personal than it was, according to Ars Technica:
The good news (if there is any) is that no identifying data such as addresses and Social Security numbers was stolen?just names, account numbers, and card security codes. So victims should only have to worry about credit card fraud (for which they will have no liability) rather than wholesale identity theft. Praise be!

As cardholders, we (implicitly) place our faith in the card issuers to establish and enforce appropriate guidelines for data protection. When issuers point to the strength of their contractual terms to excuse their lack of enforcement of those very terms, however, we can safely conclude that our faith is misplaced.

To protect cardholders, Visa and MasterCard have long-established policies for the merchants and processors that handle transactions on their payment network. They require their processors, for example, to hire a certified outside assessor to do an annual security assessment. Processors must also conduct a quarterly self-evaluation and scans for network vulnerabilities.

The card associations have also spent millions of dollars to upgrade their own computer systems with sophisticated fraud-detection software. Over the last two years, they have sent out teams to processor and merchant sites to review compliance.

. . . .

"The standards themselves are very effectively written," said Tom Arnold, a partner at Payment Software Company, a consulting firm in San Francisco that advises and provides security assessments for merchants and processors. "The challenge in the industry can be when people don't fully comply or try to cut corners."

Avivah Litan, an industry analyst at Gartner Inc., agreed. "If they are really serious about these programs, they should pay attention to how the processors are guarding the data, and they are not," she said. After the disclosure of the security breach at CardSystems, varying accounts were offered about the company's compliance with card association standards.

. . . .

Yet, there may be little incentive for processors to change. Visa and MasterCard have said that payment processors that violate their rules must pay a penalty, but they do not disclose the amounts of those fines. And it is typically the merchant that bears the cost of data fraud.

Zero liability for customers means that fraudulent charges come out of a bank or store's coffers in the form of higher merchant transaction fees. "The retailers will pay for it and the issuing banks will get rich off it," Ms. Litan said. "It's just another revenue stream."

It's long been my opinion that unenforced contract terms are generally worse than absent ones, just as a threat that is never carried-out is usually of less deterrent value than an implicit threat never explicitly made. Leave it to someone's imagination what might happen to him, and he'll probably act more appropriately than he will if he knows your dire warnings are nothing but toothless belligerence. It's like Robin Williams' joke about the mostly-unarmed British police yelling after an escaping criminal, "Stop, or I'll say 'stop' again!"

Public reaction to breaches like that committed by CardSystems will likely prompt the drafting of reams of well-meaning policies and legislation. Let's focus instead on enforcing the already adequate terms which exist today.

If changes are deemed necessary, my own proposal is to establish a policy of credit karma -- if you are the manager or director of a company which mishandles sensitive consumer information as CardSystems has, your name, address, social security number, and credit information will be published for us all to use to recoup our own losses. Adjust your data retention and security practices accordingly.


No comments: