The criminal exploit that exposed 40 million credit-card accounts to possible fraud is shedding light on an arcane but sensitive piece of...
The criminal exploit that exposed 40 million credit-card accounts to possible fraud is shedding light on an arcane but sensitive piece of the financial industry: the hundreds of companies that process transactions between merchants and card issuers.
While enormous in scope, the breach disclosed Friday at CardSystems Solutions was by no means the first such attack on a processor.
Many analysts believe banks and credit-card companies, despite working hard to tighten their own security, have failed to force payment processors to maintain similar standards.
“They’re not being watched carefully enough,” said Avivah Litan, an analyst with Gartner.
Most Read Stories
- Elizabeth Warren: ‘The next step is single-payer’ health care
- Seattle No. 1 in home-price growth again; starter homes require half of income
- Costco is testing a new burger in Seattle, and it might remind you of Shake Shack
- Zillow vs. McMansion Hell: Seattle company not backing off fight with blog despite PR fiasco
- UW study finds Seattle’s minimum wage is costing jobs
In recent years, card associations such as Visa and MasterCard have set up security requirements for processors to follow. No laws in particular govern this program, but the associations can impose fines of several hundred thousand dollars for transgressions.
However, Litan said proactive audits of companies like CardSystems don’t really happen.
Credit-card companies “just sort of wait for them to have a breach,” she said. “There’s just a lot of vagaries in how it’s enforced.”
In fact, she said, several similar breaches have happened before, and the public wasn’t told.
Card processors and merchants must certify through third-party monitors that they meet the banks’ and credit-card associations’ security standards. But compliance can be a long and costly process.
Consequently, several experts said they doubt CardSystems, which annually processes some $15 billion in transactions for more than 105,000 small to midsize businesses, is alone in being vulnerable to hackers.
“It’s quite possible that it could exist elsewhere,” said Michael Petitti, a senior vice president at AmbironTrustWave, one of the companies that perform the industry’s security certifications. CardSystems was not in his company’s purview, he said.
The breach occurred after CardSystems inappropriately held onto card data for “research purposes” rather than deleting it. Forty million accounts were exposed, and records pertaining to at least 200,000 are known to have been stolen, primarily MasterCard and Visa cards.
CardSystems did not return repeated calls seeking comment yesterday, but MasterCard spokeswoman Sharon Gamsin said the records — names, banks and account numbers — should have been deleted because “you don’t want that information sitting around.”
“Merchants aren’t allowed to keep it, and these processors aren’t allowed to keep it,” she said.
The FBI is investigating “several different angles,” bureau spokeswoman Deb McCarley said, declining to give details.
The break-in is the latest high-profile data breach to be publicly disclosed in recent months involving credit-card companies, retailers and data brokers that amass and sell consumer data.
Security and fraud experts say two factors are behind the trend:
• Information thieves are more sophisticated at grabbing and selling financially sensitive information.
• A California law took effect this year that requires companies to notify state residents when their personal information is compromised. Congress is debating a national version.
Perhaps the biggest previous security lapse involving a card processor was a 2003 hack on a Nebraska company called Data Processors International, part of TransFirst. As many as 8 million account numbers became vulnerable.
TransFirst spokesman Scott Jones would not say whether the company is confident a similar attack couldn’t happen again.
He said only that the company’s data banks are encrypted and watched by monitoring software to comply with Visa and MasterCard requirements.
Mike Gibbons, a former chief cybercrime investigator for the FBI, says financial-services companies have done better overall than most industries in developing tight computer security.
But Gibbons, now general manager for federal security solutions at Unisys, said the credit-card companies’ certification system for its partners isn’t necessarily sturdy.
Computer networks are very complex and constantly updated, so it wouldn’t be unusual for a major alteration to be made after a company is audited — one that could leave its network vulnerable to attack, he said.
Consumer advocates believe a more pervasive problem is at work: Retailers and banks are reluctant to do anything to change the credit system because they fear it would slow the process by which consumers get and use credit.
“Information travels through the credit system and stops in so many places where it could be illegally used that consumers have no idea what a hodgepodge of a system the credit-card companies have created,” said Edmund Mierzwinski, consumer program director at U.S. Public Interest Research Group.
That system, he said, is mainly designed to extract fees from consumers and businesses, “but very little of it is designed for security.”