Information Security News
mailing list archives
Re: Credit Data Firm Might Close
From: InfoSec News <isn () c4i org>
Date: Mon, 25 Jul 2005 03:21:54 -0500 (CDT)
Forwarded from: security curmudgeon <jericho () attrition org>
Everyone grab their violins..
: By Jonathan Krim
: Washington Post Staff Writer
: July 22, 2005
: The head of a payment processing firm that was infiltrated by computer
: hackers, exposing as many as 40 million credit card holders to possible
: fraud, told Congress yesterday that his company is "facing imminent
: extinction" because of its disclosure of the breach and industry's
: reaction to it.
: "As a result of coming forward, we are being driven out of business,"
: John M. Perry, chief executive of CardSystems Solutions Inc., told a
: House Financial Services Committee subcommittee considering
: data-protection legislation. He said that if his firm is forced to shut
: down, other financial companies will think twice about disclosing such
Hi Mr. Perry. I'm California law. I *require* you to come forward over
such a breach. You don't have a choice, you were not being altruistic,
you were not being overly ethical. You were following the laws.
: Perry called the decisions by Visa and American Express draconian and
: said that unless Visa reconsiders, CardSystems would close and put 115
: people out of work.
: While Perry said his company is doing everything it can to ensure that
: such a breach never occurs again, Visa said it could not overlook that
: CardSystems knowingly violated contractual requirements for how long
: credit card data were supposed to be stored and how they were secured.
CardSystems signed a contract with Visa saying that data would meet
certain technical security specifications, and that it would adhere to
a policy regarding data retention. This compromise shows that *both*
failed, and Visa is not happy with CardSystems breaking said contract.
This is business 101 folks. I feel bad about most of the employees
that will lose their jobs, but CardSystems failed them and they are
paying the price. As a Visa and AmEx card holder, I am quite happy.
: Neither Perry nor representatives of the major credit card companies
: could explain at the hearing why an audit of CardSystems in 2003 did not
: address its computer vulnerabilities or its practice of retaining some
: data for research purposes.
Hope it leaks out which security firm did this audit!
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.