Visa, Amex cut ties with processing firm hit by security breach

Computerworld - Visa U.S.A. Inc. and American Express Co. are terminating their contracts with a credit card transaction processing company that was hit by hacker attacks, potentially exposing 40 million card numbers to online intruders.

In separate announcements, Visa and American Express said they are ending their relationships with CardSystems Solutions Inc. in Atlanta because the company didn't meet its contractual requirements in providing processing services for merchants that accept the credit cards. The companies will no longer allow CardSystems to process their transactions after October.

Rosetta Jones, a spokeswoman for San Francisco-based Visa, said in a statement that the action against CardSystems comes "after an internal and forensics review of its processing practices demonstrated that -- in violation of Visa's rules -- it did not have the appropriate controls in place to protect cardholder information."

"Despite some remediation actions taken by the processor since the initial reporting of the data compromise, Visa cannot overlook the significant harm the data compromise and CardSystems' failure to maintain the required security protections has had on Visa member financial institutions and merchants, as well as the significant concerns it has raised for cardholders," Jones said. "CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts."

CardSystems apparently kept credit cardholder data on file after the transactions were processed, in violation of its agreement with Visa, she said. Because the data was still on file, it could be accessed by intruders. "Visa's security requirements were adopted precisely for the purpose of protecting cardholder information and guarding against the type of data compromise recently experienced by CardSystems," Jones said.

Judy Tenzer, a spokeswoman for New York-based American Express, would not comment on the direct cause for the termination of the processing arrangements with CardSystems.

A spokesman for CardSystems didn't respond to numerous messages left by a reporter today.

Last month, MasterCard International Inc. announced that 13.9 million of its credit card numbers were among the 40 million that may have been accessed by intruders who apparently infiltrated CardSystems' network (see Security breach may have exposed 40M credit cards). A MasterCard spokeswoman said the credit card company's fraud-detection system first became aware of the infiltration in May and the company promptly launched an investigation into the breach.

In a statement yesterday, Purchase, N.Y.-based MasterCard said it will continue to allow CardSystems to provide transaction processing services because the company has worked to improve its security and procedures since the earlier incidents.

"MasterCard has required CardSystems Solutions to develop a detailed plan to bring its systems into compliance with MasterCard security requirements by August 31, 2005," the statement said. "MasterCard is holding weekly meetings with them to monitor progress, and as of today, we are not aware of any deficiencies in its systems that are incapable of being remediated. They have already ceased storing sensitive data in accordance with MasterCard rules.

"However, if CardSystems cannot demonstrate that they are in compliance by that date, their ability to provide services to MasterCard members will be at risk," the statement said.

Transaction processing companies such as CardSystems process transactions for merchants that accept credit cards from retail purchasers. The credit card companies certify the processing companies to provide the services. Merchants that have used CardSystems as their provider will be able to choose another processing company to provide the services once the agreements with Visa and American Express are ended, said Tenzer of American Express.

Read more about Security in Computerworld's Security Topic Center.