Visa and Amex Drop CardSystems
Remember CardSystems Solutions, the company that exposed over 40 million identities to potential fraud? (The actual number of identities that will be the victims of fraud is almost certainly much, much lower.)
Both Visa and American Express are dropping them as a payment processor:
Within hours of the disclosure that Visa was seeking a replacement for CardSystems Solutions, American Express said Tuesday it would no longer do business with the company beginning in October.
The biggest problem with CardSystems’ actions wasn’t that it had bad computer security practices, but that it had bad business practices. It was holding exception files with personal information even though it was not supposed to. It was not for marketing, as I originally surmised, but to find out why transactions were not being authorized. It was disregrading the rules it agreed to follow.
Technical problems can be remediated. A dishonest corporate culture is much harder to fix. This is what I sense reading between the lines:
Visa had been weighing the decision for a few weeks but as recently as mid-June said that it was working with CardSystems to correct the problem. CardSystems hired an outside security assessor this month to review its policies and practices, and it promised to make any necessary upgrades by the end of August. CardSystems, in its statement yesterday, said the company’s executives had been “in almost daily contact” with Visa since the problems were discovered in May.
Visa, however, said that despite “some remediation efforts” since the incident was reported, the actions by CardSystems were not enough.
CardSystems Solutions Inc. “has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts,” said Rosetta Jones, a spokeswoman for Foster City, Calif.-based Visa….
Visa said that while CardSystems has taken some remediating actions since the breach was disclosed, those could not overcome the fact that it was inappropriately holding on to account information—purportedly for “research purposes”—when the breach occurred, in violation of Visa’s security rules.
At this point, it is unclear what MasterCard and Discover will do.
MasterCard International Inc. is taking a different tack with CardSystems. The credit card company expects CardSystems to develop a plan for improving its security by Aug. 31, “and as of today, we are not aware of any deficiencies in its systems that are incapable of being remediated,” spokeswoman Sharon Gamsin said.
“However, if CardSystems cannot demonstrate that they are in compliance by that date, their ability to provide services to MasterCard members will be at risk,” she said.
Jennifer Born, a spokeswoman for Discover Financial Services Inc., which also has a relationship with CardSystems, said the Riverwoods, Ill.-based company was “doing our due diligence and will make our decision once that process is completed.”
I think this is a positive development. I have long said that companies like CardSystems won’t clean up their acts unless there are consequences for not doing so. Credit card companies dropping CardSystems sends a strong message to the other payment processors: improve your security if you want to stay in business.
(Some interesting legal opinions on the larger issue of disclosure are here.)