Half of the shoes have dropped on CardSystems, but it’s unclear whether the others will. They should, and this company should leave the credit card business.
Since I last wrote about CardSystems, Visa has announced that the company would be barred from processing Visa card payments as of the end of October. American Express followed suit. But MasterCard seems to have decided to forgive and forget and let CardSystems process MasterCards.
In other words, MasterCard decided that business as usual was just fine.
The representatives of the credit card companies and the CEO of CardSystems also testified at a congressional subcommittee hearing on “Credit Card Data Processing: How Secure Is It?” But nothing much new seems to have come out of the hearing.
The prepared statement of CardSystems CEO John Perry gives the chronology and details of the security breach, and implies that the company will have to close if Visa follows though on its decision to terminate CardSystems’ authority to process Visa cards.
Perry also stated it is clear that records of at least 239,000 unique credit cards were downloaded, records that had been stored in direct violation of Visa and MasterCard security standards. Visa makes it clear (six times) in a two-page FAQ posted on its site that card holders are not responsible for fraud resulting from these stolen card records, but mail order and Internet merchants could be.
CardSystems is a company that, by its own admission, purposefully and with full understanding violated MasterCard’s rules and put tens of millions of credit card users at risk. If this does not get MasterCard to act, I hate to imagine what would.
CardSystems’ Perry expressed surprise at Visa’s actions. It seems he would rather face the kind of penalty that the Securities and Exchange Commission normally settles for, an agreement to not be bad in the future. I’m also surprised at Visa’s actions — pleasantly so.
Disclaimer: You can’t not be surprised at what happens at Harvard – it’s so large and diverse. But the university has not expressed an opinion about shredding MasterCards, so the above is my own.
–Bradner is a consultant with Harvard University’s University Information Systems. He can be reached at email@example.com.