Merrick Bank chairman David Watson says his bank was approached two years ago by representatives of CardSystems Solutions, well before the Atlanta-based processor earned its data-breach notoriety. CardSystems was scouting for a required sponsor bank to take over the Visa and MasterCard processing contracts it held with Provident Financial Group, according to Watson.
Watson and others at the Utah-based subprime credit-card specialist said no dice-at least not until CardSystems' Tucson, AZ, operations center came into compliance with Visa's new data security and accreditation standards (the "CISP" rules) that would be mandatory by September 2004. Within nine months, CardSystems came back to the table with a rosy audit from a Visa-approved firm, paid by CardSystems, assuring that the processor met the card association's security requirements.
The eventual deal to acquire the contracts came about, Watson stated in written testimony to a July 21 House Financial Services subcommittee hearing, because the audit vouched for CardSystems' operating environment. "[Including] 'all systems and network components that retain, store or transmit cardholder data,'" Watson quoted from the auditor's report.
As the world knows now, that was not exactly the case. CardSystems was holding on to thousands of customer card numbers, reportedly for research of unfinished transactions and in
violation of card association rules. Worse yet, CardSystems had been doing so since 1998, according to a forensic audit commissioned by Merrick, in the wake of the May 22 breach that MasterCard later announced could have exposed up to 40 million accountholders to unauthorized access. At press time, CardSystems admitted its future appeared to be very much in doubt, after both Visa and American Express announced they were terminating their contracts with the firm as an authorized processor. Visa has agreed to meet with CardSystems to reconsider, but is still on target to force merchants off CardSystems by October 31.
The CardSystems' breach has done more than give shivers to customers over their personal data security. It's also dispersed a large ripple of anxiety across financial institutions and service providers who are suddenly worried they may be the next CNN headline or class-action defendant. Banks and credit card associations are calling for tougher regulation of all firms that handle consumer data and are shaking the trees with service providers to determine potential security shortcomings. "Any financial services company you go to is reevaluating their processors," says Avivah Litan, vp and financial services research director at Gartner. "This definitely has had a huge impact on the industry, and it's top of mind at every meeting." Frank Smith, vp of the technology strategy group at Capgemini, says it's a signal that a lot of places aren't doing a good job. "Those are simply the [breaches] that have been reported. I can't help but wonder about the ones that haven't stood up and accounted for [breaches]."
The firestorm around the CardSystems breach erupted in late July when both Visa and American Express announced they were terminating the company as an approved processor. Visa announced in a statement that despite remediation efforts by CardSystems-ones which have so far kept MasterCard from leaving the fold as well-it couldn't overlook "the significant harm the data compromise and CardSystems' failure to maintain the required security protections has had on Visa member financial institutions and merchants, as well as the significant concerns it has raised for cardholders."
Details on the breach were outlined by CardSystems president and CEO John Perry in testimony for the Congressional hearing. An authorized computer script extracted data from 239,000 account numbers and sent it to an FTP site. The script searched for records with track data culled from cards' magnetic stripes that included names, card numbers, expiration dates and CVV codes. The data was most likely only usable for transactional fraud, not identity theft since no associated Social Security numbers were included.
Perry acknowledged the company erred in keeping the data and not encrypting it. But he also said CardSystems has been diligent in helping regulators, examiners and authorities investigate the breach, and has been working with security firm AmbrionTrustWave to fulfill all the compliance requirements of the card associations. Even with a successful transition, it may all be for naught: without Visa and Amex, CardSystems could be "forced to permanently close our doors," and subsequently disrupt the payment systems of thousands of merchant clients.
Litan agreed the Visa/Amex axing was overly harsh, considering its snafu was a minor breach compared to the insider data-selling uncovered earlier at Wachovia and Bank of America. "Why aren't they having hearings on that, and firing employees extensively? It's just out of proportion to the damage that's been done," says Litan. "I'm sure there are plenty of other processors and companies that have the same issues, and rather than fix the whole system, they're picking on one processor."
Capgemini's Smith says the incident is not just about a provider's lax security, but the loose oversight by the card associations and banks that heretofore have been mostly dependent on a service provider's own SAS 70 audit to certify security standards. "If [CardSystems] had one, and they passed it and still got stung like this, then the controls were not effectively designed," he says.
Some banks and associations, such as the Federal Reserve Consumer Advisory Council, have called for tighter regulations on providers and prompted many observers to wonder what exactly those new rules might entail. "I am sure those will be accentuated and brought further scrutiny as all these issues are happening...but a lot of that stuff is already stipulated," says Michael Weider, founder and CTO of on-line security software company Watchfire. The FDIC and other agencies have authority to examine any service provider contracting with an institution, and "normally, the FFIEC agencies look at processors to same extent we look at banks," says Michael Jackson, associate director of supervision and consumer protection with the FDIC.
With or without government regulation, banks will keep digging deeper into their third-party relationships. Huntington National Bank, for instance, recently added a chief risk officer and has an attorney dedicated to vetting service provider contracts. That involves not only assessing contractual requirements, says Huntington spokesman Ron Newman, but "technological changes in the industry that need to be formally addressed."
And that still didn't prevent a data leak from striking Huntington, which had 30,000 cards exposed in the CardSystems breach, with only 107 determined at risk for fraud.
The alerts have not only heightened scrutiny of provider security, but banks are also boning up on contract exit strategies. The BITS IT Service Provider Working Group with the Financial Services Roundtable recently distributed a publication to members on planning the termination of service-provider contracts. While not quite a "get out of the deal" guide, senior BITS consultant Faith Beottger says the guidance gave banks more details on how to measure an IT provider's fit into overall processes at the institution, and what to consider before signing on the dotted line.
