Sep 24 2005

Hiding Credit Card Theft

Published by Martin at 8:27 am under Phishing, scams, etc.

Credit card companies can keep data ID theft secret | The Register

Security breach disclosure law faces court test

This really burns me up, especially since it’s happening in my own backyard. In 2003, California put into effect SB1386, a law forcing companies who have suffered loss of credit card information to notify their customers or face stiff penalties. There have always been a number of rather large loopholes in the law, but over all, it was a good first attempt at forcing companies to take responsibility for the security of credit card information in their care, and a number of other states have followed California’s example.

This episode all started earlier this year when it was revealed that CardSystems Solutions suffered a security breach and as many as 20 million credit card numbers may have been exposed to hackers, and as many as 260,000 records were taken. CardSystems does not directly do credit card business, but is a data processor and takes care of payment data for other companies. They had kept a copy of the data they were processing for other companies for use in thier own testing, which is a direct violation of Visa and MasterCard policy. It was this copy of the database that hackers were able to get access to.

Shortly after the breach was revealed, a class action suit was filed against Visa and MasterCard seeking damages. The credit card companies responded that they are not responsible for notifying costomers or paying damage, since they are not the merchant, just the bank issuing the credit cards. And as much as it pains me to say it, their probably correct. At least for now, the law is on their side, but hopefully that will change in the future.

CardSystems Solutions is the real culprit here, they only reason they aren’t the primary target of the suit is because they don’t have deep enough pockets. They knowingly broke the policies set forth by Visa and Mastercard, and now a lot of people are going to pay for it. The only good thing I see coming out of this is that Visa has cut all ties with CardSystems, which is probably the death knell for the company. Would you want to business with a company that has proven it can’t protect itself and the resources it’s designed to protect? Not me.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments are closed at this time.