We have a new leader in the race to see which vendor can quantitatively show the least regard for the people whose data they hold. CardSystems Solutions, a third-party credit card processor, now has admitted disregarding the credit card industry security rules they should have been following. In light of such a willful disregard of mandated rules, I do not understand why CardSystems is still in the credit card processing business.
Some industry leaders have told Congress it would be a bad idea to require that credit card companies tell people their private data might be at risk after a failure of computer or organizational security. They have claimed people would soon become overwhelmed by all the notices and give up.
For the last few months there has been a steady drumbeat of announcements, most but not all driven by a California law that requires such announcements when the privacy of people’s financial information is at risk.
So far, people and the media are still interested, at least in the big cases such as a recent one in which a hacker accessed information about 40 million credit card holders at CardSystems.
The announcement of the break at CardSystems came from MasterCard. Visa seemed a bit ticked off that MasterCard has spilled the beans.
Visa said it was working with law enforcement and it hoped that MasterCard telling its cardholders the truth would not hinder the investigation. In my opinion, hiding the truth in the name of law enforcement is an excuse to delay taking responsibility. MasterCard reported CardSystems did not meet the current Payment Card Industry Security Standard. These mandates were supposed to be in effect at companies the size of CardSystems last September. Yet, half a year later, a company processing millions of credit cards per year was ignoring parts of the standard and now has admitted to doing so.
Failure to meet the requirements can result in a permanent prohibition of participation in credit card programs. If the payment card industry is as serious about security as it claims to be, it will use this willful disregard of its own rules to send a message — it will permanently ban CardSystems from processing credit card transactions.
–Bradner is a consultant with Harvard University’s University Information Systems. He can be reached at [email protected].