19 July 2005

The Krap Keeps Koming

Although details concerning the CardSystems Solutions data dumbassery, about which I posted last month, have been leaking out steadily (much like your personal data, it seems), two items this morning prompt me to offer this update.

The New York Times reports that Visa USA has terminated its relationship with CardSystems:
Visa USA said yesterday that it would stop allowing the payment processor CardSystems Solutions to handle its transactions, months after the processor left the records of millions of cardholders at risk for fraud.

"CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts," said Tim Murphy, Visa's senior vice president for operations in a memorandum sent to several banks. "Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system."

. . . .

It is unclear if MasterCard and American Express will take similar action, but with Visa accounting for more than half of all card transactions, the move raises questions about the future of CardSystems.

"I've never heard of them booting off a processor," said Avivah Litan, a security analyst at Gartner Inc., a technology research group. "The worst thing that I've heard is a processor that had to cough up $1 million."

. . . .

Visa has given at least 11 banks, which hired CardSystems to handle the merchant transactions, until the end of October to change processors, the memo said. Until then, CardSystems will be allowed to process Visa transactions as long as it has corrected any problems and allows a Visa-affiliated monitor on site to oversee its operations in Tucson. CardSystems is also banned from handling Visa transactions from its international affiliates or any new merchants, processors or member banks in the United States.

. . . .

In the letter Visa sent to the banks, Mr. Murphy suggested that the data breach occurred as early as August 2004.

It is this last point which Jeremy Wagstaff, an outstanding technology columnist for Wall Street Journal Online and blogger at Loose Wire, investigates this morning:
The press release from ACI [Worldwide, a financial software vendor] quotes Australian Treasurer Peter Costello as having "recently told Parliament that National Australia Bank was actually the first bank in the world to uncover the fraud":

"It was the NAB that uncovered this fraud out of all the domestic and international banks of the world and reported it to MasterCard and Visa in September 2004," said Costello."

Wow. That's eight months before anyone else, since CardSystems didn't announce the fraud until May 22 2005.

. . . .

An updated report from Reuters the same day adds comments from MasterCard and Visa that shed further light on this:

"MasterCard spokeswoman Sharon Gamsin said, "We said from the beginning that it was reports of fraud from issuers that enabled us to do the analysis that led to CardSystems and led to the scope of this incident. One report of fraud would not necessarily have gotten us to that point."

"Visa spokeswoman Rosetta Jones said that when her company detects fraud, "banks are notified and accounts are closed. In this case, the National Australia Bank may have detected fraud late last year, but there was no clear indication that this fraud was part of a larger data compromise at that time.""

. . . .

So, as far as we can deduce from this, NAB, via its fancy software, spotted some kind of fraud taking place. That information was passed on to Visa and MasterCard sometime between September 2004 and January 2005. The FBI passed this information onto CardSystems at some point, although why everyone decided to sit on the information is unclear.

I'm glad that my earlier pessimism that the card issuers would not hold CardSystems' feet to the proverbial fire (unfortunately, not literal fire) appears to be without merit. Although MasterCard and American Express have not yet followed Visa's lead, I am now more optimistic that they soon will. An effective death penalty for CardSystems will remain in their peers' awareness far longer than this whole sorry affair is likely to remain in ours as consumers. As to the emerging issue whether the issuers themselves bear significant blame for their nonfeasance despite months of early warning from Down Under, well let's just wait and see.

No comments: