Schneier on Security
A blog covering security and security technology.
« Anti-Missile Defenses for Commercial Aircraft |
| Searching Bags in Subways »
July 21, 2005
Visa and Amex Drop CardSystems
Remember CardSystems Solutions, the company that exposed over 40 million identities to potential fraud? (The actual number of identities that will be the victims of fraud is almost certainly much, much lower.)
Both Visa and American Express are dropping them as a payment processor:
Within hours of the disclosure that Visa was seeking a replacement for CardSystems Solutions, American Express said Tuesday it would no longer do business with the company beginning in October.
The biggest problem with CardSystems' actions wasn't that it had bad computer security practices, but that it had bad business practices. It was holding exception files with personal information even though it was not supposed to. It was not for marketing, as I originally surmised, but to find out why transactions were not being authorized. It was disregrading the rules it agreed to follow.
Technical problems can be remediated. A dishonest corporate culture is much harder to fix. This is what I sense reading between the lines:
Visa had been weighing the decision for a few weeks but as recently as mid-June said that it was working with CardSystems to correct the problem. CardSystems hired an outside security assessor this month to review its policies and practices, and it promised to make any necessary upgrades by the end of August. CardSystems, in its statement yesterday, said the company's executives had been "in almost daily contact" with Visa since the problems were discovered in May.
Visa, however, said that despite "some remediation efforts" since the incident was reported, the actions by CardSystems were not enough.
CardSystems Solutions Inc. "has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts," said Rosetta Jones, a spokeswoman for Foster City, Calif.-based Visa....
Visa said that while CardSystems has taken some remediating actions since the breach was disclosed, those could not overcome the fact that it was inappropriately holding on to account information -- purportedly for "research purposes" -- when the breach occurred, in violation of Visa's security rules.
At this point, it is unclear what MasterCard and Discover will do.
MasterCard International Inc. is taking a different tack with CardSystems. The credit card company expects CardSystems to develop a plan for improving its security by Aug. 31, "and as of today, we are not aware of any deficiencies in its systems that are incapable of being remediated," spokeswoman Sharon Gamsin said.
"However, if CardSystems cannot demonstrate that they are in compliance by that date, their ability to provide services to MasterCard members will be at risk," she said.
Jennifer Born, a spokeswoman for Discover Financial Services Inc., which also has a relationship with CardSystems, said the Riverwoods, Ill.-based company was "doing our due diligence and will make our decision once that process is completed."
I think this is a positive development. I have long said that companies like CardSystems won't clean up their acts unless there are consequences for not doing so. Credit card companies dropping CardSystems sends a strong message to the other payment processors: improve your security if you want to stay in business.
(Some interesting legal opinions on the larger issue of disclosure are here.)
Posted on July 21, 2005 at 11:49 AM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Visa and Amex have impressed me. Mastercard, though, seems to be sliming its bureaucratic way through the world.
I, for one, am pleased to see this announcement, hopefully it isnt just a public ruse. For only with financial reprocutions will these slime bag corp. be forced to improve and take personal information rights and the safeguards to house them seriously.
Of course, as always..its about the dollar... Its disgusting that it always has to come to that...
I just thought of this: maybe the "remediation" effort they were looking for involved high-level pink slips. I certainly might take them more seriously if executives there were dropping like flies, but I haven't heard anything about that.
Re: the earlier comments about Visa being somehow better than MasterCard. Do people not realize that they are both owned by substantially the same entities, i.e. their member banks who issue large numbers of credit cards? They try to market them as two distinct brands, and so not all policies are identical from the consumer side of things, but you can bet a lot of the backend policies are.
This article explains the Visa / MasterCard ownership issues a bit (though it is a bit old, and also from the biased viewpoint of Morgan Stanley, who owns the Discover card):
When a company is in the position that CardSystems is (maybe soon to be "was") in, one can only hope that they would have a conscience as large as their credit card number inventory.
Under the same light, the TSA has been keeping personal data on airline passengers that it was forbidden to hold.
I was surprised not to see it reported here, given that Mr. Schneier was involved with Secure Flight, and that he was quoted in several reports.
Ah, the sweet smell of capitalism in action. Cardsystems screw up, their customers run a mile for fear of being tainted by association. Long may it continue.
The interesting aspect to this is that there are literally hundreds of enterprises that have validated compliance with PCI (or CISP and SDP) that are also at risk.
It is relatively simple to simple lie to auditors to pass a PCI audit while in reality disregarding many of the PCI requirements. Also, flunking customers isn't exactly the best way for auditing businesses to drum up new clients, and i know of several offhand that are in the habit of rubber-stamping a company despite seeing ample reason not to. Even if they didn't, however, the patchwork of outdated, incomplete and sometimes even curiously irrelevant PCI standards hardly addresses real risks in a fashion that should make cardholders comfortable about the security of their data.
VISA and Mastercard are making an example out of CardSystems (and rightly so), but I won't be taking this as a cue that things are looking up.
Me? I request replacement credit and debit card numbers every six months, and watch my account activity carefully.
"Me? I request replacement credit and debit card numbers every six months...."
Wow; I'm impressed. I don't do that.
If you read the CardSystems testimony in front of Congress (http://www.cardsystems.com/pdf/CardSystemsWrittenTestimony.pdf) they say that they used Cable and Wireless as the auditor to get their CISP certification.
When I think of financial assessments, I don't usually think of "Cable and Wireless" as a leader in the field. Makes you wonder if CardSystems is already a C&W customer and rubber stamped the CISP audit.
"Wow; I'm impressed. I don't do that."
I view it as regularly changing passwords. If the threat is that the information has been compromised somehow and can be used to do bad things, arranging for the leaked data to be useless is a good idea. As much online shopping as I do, I would be unsurprised (if pissed) were I to learn that my payment card data had fallen into the wrong hands.
Next: other similar companies start secretly hiring crackers to steal personal information from competitors, so that the security breaches put them out of business.
How much hassle is it? I'd like to do something like that, but I'd assumed they'd be pretty truculent about it.
"When I think of financial assessments, I don't usually think of "Cable and Wireless" as a leader in the field."
The CISP is not a financial assessment. It is related directly to information security and the safety of cardholder data. It actually morphed from the Visa CISP and MasterCard SDP into the more universal Payment Card Industry (PCI) standards around Dec 2004.
Two things are really important here:
1) CardSystems did not realize they had a breach until MasterCard and an information security company traced back unusual amounts of fraud.
2) Visa announced that CardSystems would not be allowed to continue processing CC, because they would be unable to comply with the terms of doing business today (the PCI Security Standards).
At the end of the day, the PCI Data Security Standards are very detailed but like any regulations ultimately lead to a good deal of interpretation work by security professionals. Without going into too much of the details of the process, there are six key areas that the PCI covers:
1) Build and Maintain a Secure Network
2) Protect Cardholder Data
3) Maintain a Vulnerability Management Program
4) Implement Strong Access Control Measures
5) Regularly Monitor and Test Networks
6) Maintain an Information Security Policy
Companies that are not seriously committed to achieving these goals really should not be in the business of managing CC, regardless of whether they were holding files accidentally, etc..
This is exactly the point I was trying to make in the discussion about whether a CyberSecurity role in DHS can be effective without strong executive peer-relationships, given that many companies that handle IDs are still unable to comply with security 101 even when they are faced with stiff financial penalties ($500,000 per breach, and $100,000 more per breach if not reported timely, with an option to suspend services):
Bruce, you conclude that CardSystems has a "dishonest corporate culture". I am not surprised by this, and I think this is the reaction we should expect when people discover a company trusted with personal identity information (let alone independently certified) has been seriously negligent or at least careless about security practices...and there is no bigger disincentive in business than losing all your customers (when they discover the emperor never had any clothes).
Talk about spin!
"CardSystems Solutions faces "imminent extinction" if Visa stops doing business with the Atlanta-based credit card processor, Chairman and CEO John M. Perry told a House subcommittee Thursday."
Was it because they failed to follow proper procedures? No...
"In testimony before the House Financial Services subcommittee on oversight and investigations, Perry said that "as a result of coming forth with this important information, CardSystems is being driven out of business.""
"The CardSystems CEO said he was concerned that other companies might hesitate to come forward about security breaches if his company goes under."
Read it at:
CardSystems Haiku I
Card numbers stolen
No fair, VISA's being mean
It wasn't our day
"The CardSystems CEO said he was concerned that other companies might hesitate to come forward about security breaches if his company goes under."
This is an interesting argument for two reasons.
First, some people said companies would never disclose unless there were penalties for non-disclosure (which has largely been proven true) and now some people are saying that penalties will prevent disclosure. It is hard to fathom how a CEOs could think it actually benefits shareholders to hide information about truly serious fraud-related breaches from the people/companies who are suffering from identity theft.
Second, I think this CEO is further proof of the misunderstanding some business leaders have about how security obligations are really just good business practices. And after those obligations have not been met, they really do not have a lot of negotiation rights. I mean CardSystems apparently only disclosed the breach AFTER an external investigation led by MasterCard basically brought it to their attention. This means, quite clearly, that CardSystems would never have had the pleasure of choosing whether to disclose the breach since a the trail of massive amounts of fraud led investigators to the scene of the crime.
"The security breach at CardSystems came to light after MasterCard and an unnamed bank, together with computer forensics firm Ubizen, traced unusually high levels of fraud identified in mid-April back to problems at CardSystems. CardSystems said it reported the security breach to the FBI in May 23, the day after security experts nailed the source of the security breach. MasterCard, which went public on the problem on 17 June, is the only card issuer thus far to trace specific instances of fraud back to CardSystems."
I think it should be painfully clear that they were operating a business without proper controls. This is just like a restaurant that doesn't pass the simple health code requirements. Can you imagine the owner saying that they are being put out of business because they had to report that someone fell ill from poisoning...
The assessment Visa and Mastercard use is meant to determine whether security is sufficient to prevent further fraud. It appears that Visa felt that CardSystems was not in a position to prevent, or perhaps even detect, further breaches leading to fraud...
"I request replacement credit and debit card numbers every six months"
I do the same annually. You simply have no basic and reliable way today to trust that companies that accept your credit cards will protect them from disclosure.
The PCI Data Security Standards are a breath of fresh air to Information Security managers who are trying to get companies in-line with current Risk, and I wholeheartedly agree with Visa and MasterCard taking the hard line on tracing fraud and keeping business honest. Don't forget that the various Payment Card Industry entities have been trying to get data security standards approved since at least 2001. So, if you look into it, you'll find that the time for soft-enforcement has become ancient history already (at least in computer fraud time)...
"How much hassle is it? I'd like to do something like that, but I'd assumed they'd be pretty truculent about it."
Actually, most CC customer service reps are happy and more-than-willing to take care of it quickly. The smart CC companies and banks obviously WANT to reduce the risk of fraud since it impacts them directly, and cycling numbers is a good way to handle it.
Note that regularly closing accounts and changing CC companies can negatively impact your credit rating, so you really just want to change the account number(s) at the same company.
Ironically, the people who might have a problem with it are the CC handlers/processors who want to store your information for "your convenience".
"It is relatively simple to simple lie to auditors to pass a PCI audit while in reality disregarding many of the PCI requirements."
True, just as you can lie to your doctor about chest pain you've been feeling you can easily lie to the auditors about the data you are not encrypting. But even that analogy is a stretch here since you would be lying to the doctor about something that will kill your customer(s), not you.
The point is not whether you can misrepresent the security of a company, but who bears liability for failure to prevent, detect and report breaches under independent and mandatory certification.
Visa has been quite clear since Jan 2005 that if cardholder data is stolen from a company and it is found to be in non-compliance, they will issue fines of $500,000/incident (or more) and hold the company liable for all losses.
"Visa has been quite clear since Jan 2005 that if cardholder data is stolen from a company and it is found to be in non-compliance, they will issue fines of $500,000/incident (or more) and hold the company liable for all losses."
This is true, but in my experience the average enterprise isn't as committed to addressing some amorphous poorly-understood security risk so much as they are committed to validating compliance as quickly as possible, getting the audit out of the way, and continuing to process payment cards. There are a number of reasons why they don't take the possibility of compromise seriously, and I don't think that
many of them see a 1:1 correlation between choosing an auditing outfit that is easy on businesses and the increase of risk of compromise of cardholder data.
How many financial businesses took GLBA seriously before the storm of Cease and Desists started raining down, shutting down banking businesses from coast to coast? It might happen in similarly spectacular fashion with PCI standards, but I'm not terribly optimistic.
Roger: Thus far I've had no trouble ever changing a card number associated with an account, be it credit or debit, when I mention how much online shopping I do. Staff are always very understanding and happy to do something simple (and it is a very simple procedure on their end) to prevent bigger account problems later on.
it's all a smoke screen. reports of the death of cardsystems are greatly exagerrated. visa has cut it off, but mastercard and discover are prepared to dish a little more business to it, among their many vendors, to keep it alive because this is an incestuous industry, the execs are all members of the same country club and nobody wants to be the one to force poor old john m. perry to resign his membership. mister perry lied under oath like a dirty rug when he testified before the house subcommittee that the forced disclosure of the breach was putting him out of business, but corporate perjurers can lie with impunity, remember the tobacco executives who testified that nicotine wasn't addictive? i support the death penalty for corporate malefactors but it takes more than a press release to convince me, SHOW ME THE DAMN BODY ALREADY!
While I can understand Visa needing to take this stance to support their brand; the outcome of CardSystems going broke will be people losing their jobs. As per the spirit of SarbOx (make the individual accountable for their actions) wouldn't it be better just to hold the decision makers at CardSystems personally accountable and get rid of (fine/imprision/terminate) them?
There's no doubt someone's going to be hurt by this. The question is, as a society, would we rather punish the guility executives and the--possibly, but not certainly--innocent employees, or would we rather reward them (i.e., make not spending the money on security pay off, because they get bailed out anyway) and instead punish the customers who have to deal with increased identity theft?
One of the issues is what is an audit and what is a vulnerability test/assessment?
The audit requirements for PCI (and the preceding standards are quite complex). The "audit" completed by Cable and Wireless was not anything which I would consider an audit. With journalists calling "ethical attacks" audits it is no wonder that we are in this state.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.