CardSystems Solutions -- the credit-card processing company that recently exposed 40 million debit and credit-card accounts in a cyber break-in -- failed to secure its network, even though the network had been certified secure to a data security standard, according to Visa.
Since 2001, Visa and MasterCard have been touting a data security industry standard they developed in an effort to prevent credit-card data theft and stave off federal regulation. The standard has become a required criteria for businesses handling credit-card transactions.
Visa spokeswoman Rosetta Jones told Wired News that CardSystems Solutions received certification in June 2004 that it was compliant with the standard, but an assessment after the breach showed it was not compliant.
MasterCard International announced last Friday that intruders had accessed the data from CardSystems Solutions, a payment processing company based in Arizona, after placing a malicious script on the company's network.
"Had they been following the rules and requirements, they would not have been compromised," Jones said.
CardSystems did not return calls for comment.
The company was due this month for an annual audit to determine its ongoing compliance with the standard when it discovered the data breach in May.
"We sent in a forensic team (after the breach) and determined they were not compliant based on how they were managing data," Jones said.
Jones would not provide specifics on what auditors found in their assessment. But when asked if it would be fair to say that the evidence indicated a failure to apply a firewall or maintain virus definitions -- two basic steps in securing a network -- she said, "That would be fair."
The standard, called the Payment Card Industry Data Security Standard, or PCI, consists of 12 requirements (PDF), such as installing a firewall and anti-virus software and regularly updating virus definitions. It also requires companies to encrypt data, to restrict data access to people who need it and to assign a unique identifying number to people with access rights in order to monitor who views and downloads data.
Although the standard was developed by Visa and MasterCard, it's endorsed by other credit-card companies. It applies to any merchant or service provider that processes, transmits or stores credit-card payments and places additional requirements on card issuers, such as banks, to ensure that merchants and service providers comply with the requirements and report breaches in a timely manner. The standard went into effect June 2001, although businesses had until June 30th of this year to validate that they were in compliance, Jones said.
Since 2001, any business wishing to process credit-card transactions had to sign a contract binding them to the PCI standard and obtain a security audit from an approved assessor certifying their compliance.
Jones said CardSystems had an assessor evaluate its compliance and submitted paperwork toward that compliance in June 2003. But Visa rejected it.
"We felt that they had more work to do to become more fully compliant," Jones said, declining to disclose what prompted the rejection. A year later CardSystems submitted paperwork again and received certification in June 2004.
Bruce Schneier, chief technology officer at Counterpane, a computer security firm that helps companies secure and monitor their networks, said the revelation highlights a universal problem with enforcing standards.
"The standard not only has to be good, but the compliance process has to have integrity," Schneier said. "But a lot of (compliance involves) self-certification. It's things you say you do. And it's only audited minimally."
CardSystems is a major processor of credit-card transactions. According to its website, it processes more than $15 billion annually in credit-card transactions for Visa, American Express, MasterCard and Discover. It also processes online transactions and Electronic Benefit Transfer transactions -- cards used by the government to dole out social welfare benefits such as food stamps and unemployment payments.
Jones wouldn't say who performed the compliance assessment for CardSystems, but she noted that the assessor had to come from an approved list of auditors (PDF) that Visa and MasterCard maintains.
Approved assessors go through a screening process. Jones said their reputation relies on making certain that they "assess (a company's) situation as truthfully and honestly as possible."
Per the PCI standard agreement, Visa and MasterCard can fine merchants that don't comply with the data standard or they can withdraw the company's right to accept credit-card payments or process transactions. They could also conceivably collect damages from a company if the breach resulted in a massive data loss that required Visa or MasterCard to launch an expensive public relations campaign to counteract the loss of public confidence in their cards.
"Visa and MasterCard could say=85 'you owe us $300,000 that we had to spend on attorneys' fees and PR consultants,'" said Chad King, a partner in the Texas law firm Hughes and Luce, who specializes in privacy and data security issues. "Now would they do that? It's unlikely. But if the merchant is Amazon.com, then maybe Visa would do it."
The bank that issued the credit card and the merchant's bank could also be fined up to $500,000 per incident if a merchant or service provider they did business with was out of compliance with the standard at the time of a breach. Card issuers would also be subject to a $100,000 penalty if they failed to notify Visa's fraud control unit of a suspected or confirmed loss of data at one of their merchants or service providers.
King said that many large merchants are already complying with the standards.
"This is going to help smaller merchants and processors," he said. "It will make them sit up and take note: If you're going to play in the credit-card game, here are the rules."
The compliance requirement for the data standard goes into effect as federal lawmakers are discussing legislation to regulate businesses that deal with sensitive personal information in the wake of other high-profile data breaches and security failures at companies like ChoicePoint, Bank of America and CitiBank.
"They are really trying to hold up a banner and say we're self-regulating and we can do this ourselves," King said. "But I think ultimately we will see some federal regulation here."
Schneier said the PCI standard has teeth, since it levies financial penalties and raises the cost of processing credit cards for companies that are caught not complying, but he said Visa and MasterCard now have to work out the compliance issues.
"They're terrified that everybody will be afraid to use their credit card," Schneier said, about the motivation for the standard requirements. "They're trying to protect the integrity of their brands. So if they're not working, Visa and MasterCard will figure out how to make them work."
Of course the standard will motivate companies only if they actually have to pay a price for non-compliance. Jones said that there is currently no plan to fine CardSystems Solutions for its lax security.
The New York Times reported this week that federal banking regulators have launched an investigation into CardSystems' security procedures.