Banks that issue credit and debit cards are moving rapidly to contain the damage caused by the potentially massive theft of card information from a transaction-processing company that was disclosed last week.
Some 22 million Visa-branded cards and 14 million MasterCard-branded cards were exposed to the security breach at CardSystems Solutions Inc. that was disclosed by MasterCard last week. The breach was reported by CardSystems to Visa and MasterCard in late May.
Washington Mutual has canceled 1,400 cards whose numbers were stolen and is issuing replacements. J.P. Morgan Chase & Co., which with 94 million cards outstanding is the nation's largest card issuer, hasn't canceled or reissued any cards as a result of the incident but is monitoring the situation closely, a spokesman says. Visa and MasterCard are relaying information picked up by their fraud-detection systems to issuing banks, which then decide whether to cancel or reissue cards.
The 1,400 cards canceled by Washington Mutual are known to have been used to commit fraud; an unknown but presumably higher number may be at risk for fraud, a bank spokeswoman says.
Of the 14 million MasterCard-branded card records that were exposed, 68,000 are known to have been stolen. Visa hasn't said how many of its records were stolen but hasn't yet detected any unusual fraud patterns resulting from the security breach, a spokesman says.
The full extent of the damage may not be known until consumers receive their monthly statements and begin reporting fraudulent charges to their banks. But Visa and MasterCard, as well as the banks themselves, have sophisticated fraud-detection systems in place and will promptly shut down any card accounts suspected of being used for fraud.
The security breach involved an infiltration into CardSystems' network by an unauthorized individual who accessed cardholder data. Visa won't say how or when the discovery of the incident took place, nor what actions it has taken against CardSystems. Telephone calls to CardSystems weren't returned.
The company may have violated provisions of the Payment Card Industry Data Security Standard, a set of security requirements for merchants and payment processors that includes implementing strong access-control measures, regularly monitoring and testing networks, and maintaining an information security policy. CardSystems was certified as being in compliance with Visa's Cardholder Information Security Program--which implements the PCI provisions--in June 2004 by an independent security-assessment firm but was later determined to be no longer in compliance when it was discovered that it was inappropriately storing cardholder data.
Companies have until June 30 to be in compliance with the PCI standard. Hefty fines can be levied against those found not to be in compliance.
In the wake of the CardSystems incident, which caps a string of similar incidents involving lost or stolen card data, banks are likely to lean heavily on third-party payment processors to comply with PCI. For one thing, it costs a bank between $50 and $75 to cancel and reissue a card. Based on the number of cards already known to have been stolen, the cost to the banking industry of this latest incident could be staggering. There's also the risk of class-action lawsuits stemming from liabilities by banks for failing to protect personal information under the Gramm-Leach-Bliley Act.
"Ultimately, it's the bank's responsibility for safeguarding the data," says Nigel Tranter, a partner at Payment Software Company LLC, which conducts security audits for payment processors.
During an audit, which averages between five and eight days but can take longer for larger companies, Payment Software assesses a company's business processes and looks to identify weaknesses in physical and logical data controls. During the six months following the June 30 PCI deadline, there will be a push by banks to force processors into compliance, Tranter says. "There will be a lot of fallout from this," he says. "We will see fines being levied and some fairly strong-arm tactics applied."
The nature of the card-processing system makes it difficult to trace where card numbers might end up getting stored. MonsterCommerce Inc., which provides shopping-cart software for 5,000 online retailers, connects to 13 "gateways" operated by companies such as VeriSign and Authorize.Net, says Megan Buckley, director of software development. The gateways connect merchants to processing companies, which in turn submit the transaction through to the card networks for authorization. Each gateway can connect to dozens of processors, so neither the merchant nor MonsterCommerce has any way of ascertaining where the card data might be going. "It gets a little convoluted once you pass it through a gateway," Buckley says.
MonsterCommerce itself stores account numbers--but not the three-digit CVR number printed on the back of cards--on behalf of merchants who may need the numbers later, such as when handling a disputed transaction.
In accordance with the PCI standard, MonsterCommerce uses a cryptographic system from nCipher Corp. to safeguard card numbers it stores. It also employs firewalls and other security mechanisms prescribed by PCI, such as ensuring that the merchant's Web site is hosted on a different server from the one where card numbers are stored, Buckley says. MonsterCommerce itself expects to receive PCI certification before the end of the summer.