Source: Schneier on Security: Visa and Amex Drop CardSystems
Visa and Amex Drop CardSystems
Remember CardSystems Solutions, the company that exposed over 40 million identities to potential fraud? (The actual number of identities that will be the victims of fraud is almost certainly much, much lower.)
Both Visa and American Express are dropping them as a payment processor:
Within hours of the disclosure that Visa was seeking a replacement for CardSystems Solutions, American Express said Tuesday it would no longer do business with the company beginning in October.
The biggest problem with CardSystems' actions wasn't that it had bad computer security practices, but that it had bad business practices. It was holding exception files with personal information even though it was not supposed to. It was not for marketing, as I originally surmised, but to find out why transactions were not being authorized. It was disregrading the rules it agreed to follow.
Technical problems can be remediated. A dishonest corporate culture is much harder to fix. This is what I sense reading between the lines:
Visa had been weighing the decision for a few weeks but as recently as mid-June said that it was working with CardSystems to correct the problem. CardSystems hired an outside security assessor this month to review its policies and practices, and it promised to make any necessary upgrades by the end of August. CardSystems, in its statement yesterday, said the company's executives had been "in almost daily contact" with Visa since the problems were discovered in May.
Visa, however, said that despite "some remediation efforts" since the incident was reported, the actions by CardSystems were not enough.
And this:
CardSystems Solutions Inc. "has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts," said Rosetta Jones, a spokeswoman for Foster City, Calif.-based Visa....
Visa said that while CardSystems has taken some remediating actions since the breach was disclosed, those could not overcome the fact that it was inappropriately holding on to account information -- purportedly for "research purposes" -- when the breach occurred, in violation of Visa's security rules.
Comments