[Clips] Credit Data Firm Might Close

R.A. Hettinga rah at shipwright.com
Fri Jul 22 10:47:21 EDT 2005 

--- begin forwarded text


 Delivered-To: clips at philodox.com
 Date: Fri, 22 Jul 2005 10:46:45 -0400
 To: Philodox Clips List <clips at philodox.com>
 From: "R.A. Hettinga" <rah at shipwright.com>
 Subject: [Clips] Credit Data Firm Might Close
 Reply-To: rah at philodox.com
 Sender: clips-bounces at philodox.com

 <http://www.washingtonpost.com/wp-dyn/content/article/2005/07/21/AR2005072102465_pf.html>

 The Washington Post

 washingtonpost.com
 Credit Data Firm Might Close
 After Databases Hacked, Customers Cancel Contracts

 By Jonathan Krim
 Washington Post Staff Writer
 Friday, July 22, 2005; D02

 The head of a payment processing firm that was infiltrated by computer
 hackers, exposing as many as 40 million credit card holders to possible
 fraud, told Congress yesterday that his company is "facing imminent
 extinction" because of its disclosure of the breach and industry's reaction
 to it.

 "As a result of coming forward, we are being driven out of business," John
 M. Perry, chief executive of CardSystems Solutions Inc., told a House
 Financial Services Committee subcommittee considering data-protection
 legislation. He said that if his firm is forced to shut down, other
 financial companies will think twice about disclosing such attacks.

 Visa USA Inc. and American Express Co. recently announced after
 investigating the breach at CardSystems' Tucson, Ariz., facility that they
 would no longer allow the firm to process transactions made with their
 cards.

 Atlanta-based CardSystems is one of several firms that serve as a
 little-known hub in the nation's commerce system, transferring payments
 between the banks of credit card-using consumers and the banks of the
 merchants where purchases are made.

 Perry called the decisions by Visa and American Express draconian and said
 that unless Visa reconsiders, CardSystems would close and put 115 people
 out of work. CardSystems handles only a small percentage of American
 Express transactions, while Visa accounts for a large part of its business.

 Perry said closing his company could disrupt the ability of merchants to
 complete transactions, since it might take time for them to arrange for
 alternate payment processors. For that reason, Visa said it is not cutting
 off the company until Oct. 31.

 While Perry said his company is doing everything it can to ensure that such
 a breach never occurs again, Visa said it could not overlook that
 CardSystems knowingly violated contractual requirements for how long credit
 card data were supposed to be stored and how they were secured.

 Rosetta Jones, a Visa USA spokeswoman, said after the hearing that the
 credit card giant also has had difficulty getting sufficient information
 from CardSystems since the breach occurred. Nonetheless, at the urging of
 Rep. Rick Renzi (R-Ariz)., Visa agreed to another meeting with CardSystems
 before it severs ties with the firm.

 Neither Perry nor representatives of the major credit card companies could
 explain at the hearing why an audit of CardSystems in 2003 did not address
 its computer vulnerabilities or its practice of retaining some data for
 research purposes.

 Of the 40 million credit card numbers in CardSystems' data banks, roughly
 240,000 are known to have been downloaded in May by the hackers, who
 implanted malicious computer code into the company's network last fall to
 gain access to the information.

 The files did not contain Social Security numbers, driver's license data or
 other personal information frequently targeted by identity thieves.

 Perry said that he knows of no purloined credit card numbers that were used
 fraudulently, although MasterCard -- which first announced the breach to
 the public last month -- said that "a small number" of card numbers were
 misused.

 Law enforcement agencies, including the FBI, are investigating the incident.

 Subcommittee members, while condemning the data breaches that have exposed
 millions of consumers to possible fraud or identity theft in the past year,
 disagreed on what Congress should do about it.

 "The CardSystems incident is a spectacular failure" of private industry to
 effectively secure personal data, Rep. Carolyn B. Maloney (D-N.Y.) said in
 urging greater regulation. "We need to provide the legal structure to fix
 it."

 In response, Rep. Tom Price (R-Ga.), admonished members against "greater
 regulation and greater penalties, which is oftentimes the knee-jerk
 reaction" to problems.

 With numerous House and Senate bills already introduced to address identity
 fraud and theft, and several more being prepared, both parties expect
 legislative action.

 Most bills would require disclosure of breaches, though the industry
 supports limiting notification to cases in which there is significant risk
 that the data could be used for fraud or identity theft.

 Representatives of the credit card companies yesterday also supported
 proposals to extend federal security requirements to payment processors,
 not just banks and financial institutions covered by current law.

 Some proposals go further and are likely to be opposed by the financial
 industry.

 A Senate Commerce Committee bill would allow consumers to "freeze" their
 credit, preventing anyone from getting loans or credit approval in their
 names without express permission.

 Evan Hendricks, editor of Privacy Times, who testified yesterday as a
 privacy expert, said he supports giving consumers the right to sue when
 they are damaged by breaches caused by lax security.

 "Some companies won't have adequate security unless they are forced to," he
 said.

 --
 -----------------
 R. A. Hettinga <mailto: rah at ibuc.com>
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 _______________________________________________
 Clips mailing list
 Clips at philodox.com
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list