By Kim Zetter
June 22, 2005
CardSystems Solutions -- the credit-card processing company that
recently exposed 40 million debit and credit-card accounts in a cyber
break-in -- failed to secure its network, even though the network had
been certified secure to a data security standard, according to Visa.
Since 2001, Visa and MasterCard have been touting a data security
industry standard they developed in an effort to prevent credit-card
data theft and stave off federal regulation. The standard has become a
required criteria for businesses handling credit-card transactions.
Visa spokeswoman Rosetta Jones told Wired News that CardSystems
Solutions received certification in June 2004 that it was compliant
with the standard, but an assessment after the breach showed it was
MasterCard International announced last Friday that intruders had
accessed the data from CardSystems Solutions, a payment processing
company based in Arizona, after placing a malicious script on the
"Had they been following the rules and requirements, they would not
have been compromised," Jones said.
CardSystems did not return calls for comment.
The company was due this month for an annual audit to determine its
ongoing compliance with the standard when it discovered the data
breach in May.
"We sent in a forensic team (after the breach) and determined they
were not compliant based on how they were managing data," Jones said.
Jones would not provide specifics on what auditors found in their
assessment. But when asked if it would be fair to say that the
evidence indicated a failure to apply a firewall or maintain virus
definitions -- two basic steps in securing a network -- she said,
"That would be fair."
The standard, called the Payment Card Industry Data Security Standard,
or PCI, consists of 12 requirements (PDF), such as installing a
firewall and anti-virus software and regularly updating virus
definitions. It also requires companies to encrypt data, to restrict
data access to people who need it and to assign a unique identifying
number to people with access rights in order to monitor who views and
Although the standard was developed by Visa and MasterCard, it's
endorsed by other credit-card companies. It applies to any merchant or
service provider that processes, transmits or stores credit-card
payments and places additional requirements on card issuers, such as
banks, to ensure that merchants and service providers comply with the
requirements and report breaches in a timely manner. The standard went
into effect June 2001, although businesses had until June 30th of this
year to validate that they were in compliance, Jones said.
Since 2001, any business wishing to process credit-card transactions
had to sign a contract binding them to the PCI standard and obtain a
security audit from an approved assessor certifying their compliance.
Jones said CardSystems had an assessor evaluate its compliance and
submitted paperwork toward that compliance in June 2003. But Visa
"We felt that they had more work to do to become more fully
compliant," Jones said, declining to disclose what prompted the
rejection. A year later CardSystems submitted paperwork again and
received certification in June 2004.
Bruce Schneier, chief technology officer at Counterpane, a computer
security firm that helps companies secure and monitor their networks,
said the revelation highlights a universal problem with enforcing
"The standard not only has to be good, but the compliance process has
to have integrity," Schneier said. "But a lot of (compliance involves)
self-certification. It's things you say you do. And it's only audited
CardSystems is a major processor of credit-card transactions.
According to its website, it processes more than $15 billion annually
in credit-card transactions for Visa, American Express, MasterCard and
Discover. It also processes online transactions and Electronic Benefit
Transfer transactions -- cards used by the government to dole out
social welfare benefits such as food stamps and unemployment payments.
Jones wouldn't say who performed the compliance assessment for
CardSystems, but she noted that the assessor had to come from an
approved list of auditors (PDF) that Visa and MasterCard maintains.
Approved assessors go through a screening process. Jones said their
reputation relies on making certain that they "assess (a company's)
situation as truthfully and honestly as possible."
Per the PCI standard agreement, Visa and MasterCard can fine merchants
that don't comply with the data standard or they can withdraw the
company's right to accept credit-card payments or process
transactions. They could also conceivably collect damages from a
company if the breach resulted in a massive data loss that required
Visa or MasterCard to launch an expensive public relations campaign to
counteract the loss of public confidence in their cards.
"Visa and MasterCard could say=85 'you owe us $300,000 that we had to
spend on attorneys' fees and PR consultants,'" said Chad King, a
partner in the Texas law firm Hughes and Luce, who specializes in
privacy and data security issues. "Now would they do that? It's
unlikely. But if the merchant is Amazon.com, then maybe Visa would do
The bank that issued the credit card and the merchant's bank could
also be fined up to $500,000 per incident if a merchant or service
provider they did business with was out of compliance with the
standard at the time of a breach. Card issuers would also be subject
to a $100,000 penalty if they failed to notify Visa's fraud control
unit of a suspected or confirmed loss of data at one of their
merchants or service providers.
King said that many large merchants are already complying with the
"This is going to help smaller merchants and processors," he said. "It
will make them sit up and take note: If you're going to play in the
credit-card game, here are the rules."
The compliance requirement for the data standard goes into effect as
federal lawmakers are discussing legislation to regulate businesses
that deal with sensitive personal information in the wake of other
high-profile data breaches and security failures at companies like
ChoicePoint, Bank of America and CitiBank.
"They are really trying to hold up a banner and say we're
self-regulating and we can do this ourselves," King said. "But I think
ultimately we will see some federal regulation here."
Schneier said the PCI standard has teeth, since it levies financial
penalties and raises the cost of processing credit cards for companies
that are caught not complying, but he said Visa and MasterCard now
have to work out the compliance issues.
"They're terrified that everybody will be afraid to use their credit
card," Schneier said, about the motivation for the standard
requirements. "They're trying to protect the integrity of their
brands. So if they're not working, Visa and MasterCard will figure out
how to make them work."
Of course the standard will motivate companies only if they actually
have to pay a price for non-compliance. Jones said that there is
currently no plan to fine CardSystems Solutions for its lax security.
The New York Times reported this week that federal banking regulators
have launched an investigation into CardSystems' security procedures.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.