In a first of its kind move, Visa USA and American Express Co. have dropped the hammer on an affiliated payment processor several months after its was revealed that a massive security breach exposed the records of millions of its cardholders.
CardSystems Solutions put the account information of approximately 40 million credit card holders at risk for fraud by mishandling data stored in its database. Customers' names, credit card numbers and expiration dates were revealed in the breach.
Of those 40 million, 200,000 were marked as being at high risk for fraud: 100,000 Visa cards, 68,000 from MasterCard, and 30,000 cards from other credit card companies that use CardSystems to process transactions. The breach was the largest of its kind ever to be reported.
Associated instances of fraud have already been uncovered.
A spokesperson for American Express has stated that it will sever its relationship with CardSystems as early as October. The spokesperson declined to provide any further comment.
Visa was more vocal in a memorandum that it sent to its participating banks. "CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts," said Tim Murphy, Visa's senior vice president for operations. "Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system."
American Express and Visa expect that merchants and cardholders will continue to experience normal service despite their decision to bar CardSystems from processing their transactions.
Although it did not say whether it would follow Visa's lead, a spokesperson for MasterCard told BetaNews, "MasterCard’s acquiring banks are fully aware that we are working with CardSystems to bring their systems into compliance in as short a time as possible. However, if CardSystems cannot demonstrate that they are in compliance by that date, their ability to provide services to MasterCard members will be at risk."
MasterCard is holding weekly meetings with CardSystems Solutions to monitor its progress in drafting a detailed plan to meet its MasterCard security requirements by August 31, 2005. MasterCard says that it is not aware of any deficiencies that are incapable of being remediated.
A spokesperson for Discover Financial Services, which also uses CardSystems to process transactions, could not be reached by press time.
Some industry watchers see the move as a prime example of industry self regulation.
"Visa's decision sends a strong message to the industry about their willingness to enforce the PCI Data Security Standard to the fullest extent. We'll see if MasterCard and American Express follow suit," Jeremiah Grossman, Chief Technology Officer of WhiteHat Security, told BetaNews.
In June, the U.S. government's Federal Financial Institutions Examination Council began investigating the network security systems and data handling practices of CardSystems. The FBI has launched a separate investigation.
CardSystems is accused of centralizing all of its accumulated account information onto a single server for research purposes, in violation of the security protocol and policies of nearly all credit card companies.
Hackers obtained access to the server and placed a downloader that transmitted credit card data.
CardSystems Solutions has been providing services to credit card companies for nearly 15 years and has processed as much as $15 billion in transactions annually. The company is privately held and is based in Tucson Arizona.
A CardSystems spokesperson did not respond to requests for comment in time for publication.