Get the latest updates as we post them — right on your browser

. Last Updated: 07/27/2016

40 Million Credit Card Users Put at Risk of Fraud

NEW YORK -- The chief of the credit card processing company whose computer system was penetrated by data thieves, exposing 40 million cardholders to a risk of fraud, acknowledged Sunday that the company should not have been retaining consumer records lost to the thieves.

The official, John Perry, chief executive of CardSystems Solutions, indicated that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit card accounts, from Visa, MasterCard and other card issuers. He said the data was in a file being stored for "research purposes" to determine why certain transactions had gone unauthorized or uncompleted.

"We should not have been doing that," Perry said.

Under rules established by Visa and MasterCard, processors are not allowed to retain cardholder information including names, account numbers, expiration dates and security codes after a transaction is handled. "CardSystems provides services and is supposed to pass that information on to the banks and not keep it," said Joshua Peirez, a MasterCard senior vice president who has been involved with the investigation. "They were keeping it."

The security breach was reported Friday when MasterCard International said a lapse at CardSystems had allowed the installation of a rogue computer program that could extract data from the system, potentially compromising 40 million accounts of various credit cards.

MasterCard said Saturday that 68,000 of its own account numbers were especially at risk because they were in a file found to have actually been "exported from the system." CardSystems said Sunday that the file also contained data from other cards in proportion to the volume of business it handles from each company. That would translate to about 100,000 Visa accounts and roughly 30,000 others.

The details about CardSystems' handling of the data raised new questions about the effectiveness and enforcement of the standards established by the card companies for data protection and storage.

To protect cardholders, Visa and MasterCard have long-established policies for the merchants and processors that handle transactions on their payment network. They have spent millions of dollars to upgrade their own computer systems with sophisticated fraud-detection software. Over the last two years, they have sent out teams to processor and merchant sites to conduct compliance campaigns.

But one kink in this chain -- one processor that fails to comply -- can put untold numbers of cardholders at risk of fraud.

"The standards themselves are very effectively written," said Tom Arnold, a partner at Payment Software, a consulting company that advises and provides security assessments for merchants and processors. "The challenge in the industry can be when people don't fully comply or try to cut corners."

Perry of CardSystems offered a different account, saying his company had been audited in December 2003 by an unspecified independent assessor and had received a seal of approval from payment associations in June 2004.

CardSystems, based in Tucson, Arizona, processes more than $15 billion in payments for small to mid-size merchants and financial institutions each year.

MasterCard said that it had detected atypical levels of fraudulent charges on its cards as early as mid-April and, joined by Visa in mid-May, had requested that CardSystems allow its independent forensics team to investigate. It was not until May 22 that the security specialists identified the rogue computer program as the source, MasterCard said.

CardSystems said it contacted the FBI in Tucson and Atlanta on May 23. The FBI said Friday that its investigation was continuing.

Only MasterCard affirmed that it knew of specific instances of fraud against its customers traced to the CardSystems breach. Visa said it was monitoring the situation but had yet to detect any fraud traceable to the case. Those companies, along with American Express and Discover, said their cardholders would not be liable for fraudulent charges on their accounts.

Visa and MasterCard require their processors to hire a certified outside assessor to provide an annual security assessment. Processors must also conduct a quarterly self-evaluation and scans for network vulnerabilities.

Some critics contend that the standards may be good but enforcement is too lax.

Peirez of MasterCard said that the data inappropriately retained by CardSystems was particularly sensitive because it included cardholders' three- and four-digit security codes, making it more attractive to potential thieves because it can double or triple the black-market value of a cardholder's account.

Litan said there would be no reason for a processor to store the security code. "It's probably just laziness or they don't know the rules," she added.

The 40 million accounts that passed through CardSystems during the time period in question may be the largest case of exposed data to date. Banks' customer service representatives over the weekend said they fielded a heavy volume of phone calls from cardholders seeking guidance.

Yet, there may be little incentive for processors to change. Visa and MasterCard have said that payment processors that violate their rules must pay a penalty, but they do not disclose how much those fines actually are.

And it is typically the merchant that in the end bears the cost of data fraud. "Zero liability" for customers means that fraudulent charges come out of a store's coffers.