Saturday, July 30, 2005
Credit Card Titans Cut Ties to CardSystems
Two credit card giants, American Express and Visa USA, are severing ties with the Atlanta-based credit card processor whose hacking incident left 40 million consumer accounts open to potential fraud. Within hours of the disclosure that Visa was seeking a replacement for CardSystems Solutions, American Express said yesterday it would no longer do business with the company beginning in October. The loss of two large clients marks another significant blow to the embattled CardSystems, which employs 25 in Atlanta and 90 at a Tucson, Ariz., processing center.
The company, which processed more than US$15 billion in transactions last year for Visa, MasterCard International, American Express and Discover Financial Services, already is at the center of two federal probes into its security breach. Tomorrow, John M. Perry, CardSystems' chief executive officer, is slated to appear before a subcommittee of the House Committee on Financial Services. Perry is one of several industry executives expected to testify. The hacking incident, which CardSystems discovered in May, included 22 million Visa and 13.9 million MasterCard accounts. American Express and Discover have not provided numbers. In an interview last month, Perry said the card information that was hacked was stored in what he called an "exception file," which contains accounts with transactions unable to be processed. The file contains account numbers, names and expiration dates, but not information used in identity theft, such as Social Security numbers or birth dates.
But both Visa and MasterCard said storing that information violated security agreements CardSystems has with both card associations. Visa sent letters to 11 banks that used CardSystems to process payments directing them to find a replacement firm by Oct. 31.
"Despite some remediation actions taken by the processor since the initial reporting of the data compromise, Visa cannot overlook the significant harm the data compromise and CardSystems' failure to maintain the required security protections has had on Visa member financial institutions and merchants, as well as the significant concerns it has raised for cardholders," Visa spokeswoman Rosetta Jones said yesterday in a statement.
"CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts," she said. CardSystems executives, who were en route to Washington yesterday, could not be reached for comment on American Express' decision. Earlier in the day, the company issued a statement concerning Visa. "We are disappointed and very surprised that Visa has decided to take this action today, not only because of the impact that it will have on our employees, but the disruption that it will cause to our 110,000 merchant customers," the statement read. "We hope that Visa will reconsider." CardSystems said its systems were found to be compliant by Visa in June 2004, and that the company has "been in almost daily contact" with Visa since discovering the breach. "Since that time, CardSystems has taken significant steps to ensure that we could restore our compliance status with Visa by August 2005," the company said.
It is unclear whether MasterCard --- Visa's chief competitor --- or Discover will follow suit. MasterCard said it is requiring CardSystems to develop a compliance plan by Aug. 31, and it is holding weekly meetings with company executives. "As of today, we are not aware of any deficiencies in its systems that are incapable of being remediated," MasterCard spokeswoman Sharon L. Gamsin said in a statement. "However, if CardSystems cannot demonstrate that they are in compliance by that date, their ability to provide services to MasterCard will be at risk."
A Discover spokeswoman said the company is reviewing its relationship with CardSystems and is interviewing company executives. After that review, spokeswoman Jennifer Born said, Discover will decide whether it will continue its relationship with CardSystems. A deadline for that decision has not been set.
Brought to you by the Guardian eCommerce Privacy Seal Program.
The company, which processed more than US$15 billion in transactions last year for Visa, MasterCard International, American Express and Discover Financial Services, already is at the center of two federal probes into its security breach. Tomorrow, John M. Perry, CardSystems' chief executive officer, is slated to appear before a subcommittee of the House Committee on Financial Services. Perry is one of several industry executives expected to testify. The hacking incident, which CardSystems discovered in May, included 22 million Visa and 13.9 million MasterCard accounts. American Express and Discover have not provided numbers. In an interview last month, Perry said the card information that was hacked was stored in what he called an "exception file," which contains accounts with transactions unable to be processed. The file contains account numbers, names and expiration dates, but not information used in identity theft, such as Social Security numbers or birth dates.
But both Visa and MasterCard said storing that information violated security agreements CardSystems has with both card associations. Visa sent letters to 11 banks that used CardSystems to process payments directing them to find a replacement firm by Oct. 31.
"Despite some remediation actions taken by the processor since the initial reporting of the data compromise, Visa cannot overlook the significant harm the data compromise and CardSystems' failure to maintain the required security protections has had on Visa member financial institutions and merchants, as well as the significant concerns it has raised for cardholders," Visa spokeswoman Rosetta Jones said yesterday in a statement.
"CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts," she said. CardSystems executives, who were en route to Washington yesterday, could not be reached for comment on American Express' decision. Earlier in the day, the company issued a statement concerning Visa. "We are disappointed and very surprised that Visa has decided to take this action today, not only because of the impact that it will have on our employees, but the disruption that it will cause to our 110,000 merchant customers," the statement read. "We hope that Visa will reconsider." CardSystems said its systems were found to be compliant by Visa in June 2004, and that the company has "been in almost daily contact" with Visa since discovering the breach. "Since that time, CardSystems has taken significant steps to ensure that we could restore our compliance status with Visa by August 2005," the company said.
It is unclear whether MasterCard --- Visa's chief competitor --- or Discover will follow suit. MasterCard said it is requiring CardSystems to develop a compliance plan by Aug. 31, and it is holding weekly meetings with company executives. "As of today, we are not aware of any deficiencies in its systems that are incapable of being remediated," MasterCard spokeswoman Sharon L. Gamsin said in a statement. "However, if CardSystems cannot demonstrate that they are in compliance by that date, their ability to provide services to MasterCard will be at risk."
A Discover spokeswoman said the company is reviewing its relationship with CardSystems and is interviewing company executives. After that review, spokeswoman Jennifer Born said, Discover will decide whether it will continue its relationship with CardSystems. A deadline for that decision has not been set.
Brought to you by the Guardian eCommerce Privacy Seal Program.
