American Express Co. has joined Visa U.S.A. in terminating its relationship with CardSystems Solutions Inc., a card processor that admitted it violated card industry database security requirements, enabling a hacker to access confidential information on 40 million accounts.
CardSystems processes transactions for more than 105,000 small to mid-sized businesses, including online retailers. Its partner programs include Authorize.net, geocerts.com and USA.NET.
CardSystems didn’t return calls for comment.
“We have notified CardSystems that we intend to end our processing relationship with them, effective in October, because they failed to meet the terms of our agreement with them,” an AmEx spokeswoman says. She declines to give further details but says that CardSystems processes an extremely small volume of AmEx transactions.
In a statement earlier this week, Rosetta Jones, Visa vice president, said the association decided to terminate its approval of CardSystems as a Visa processor and third-party agent after “an internal and forensics review of its processing practices demonstrated that—in violation of Visa’s rules—it did not have the appropriate controls in place to protect information.” The termination takes effect Oct. 31.
Visa says CardSystems’ CEO John M. Perry tld the association that the company “knowingly retained unmasked magnetic stripe cardholder data, purportedly for ‘research purposes,’ even though retention of the data violated Visa’s long-standing data security and storage requirements.”
Although the processor has taken steps to correct the problems since the initial reporting of the incident in May, Jones said, Visa can’t overlook the “significant harm” the data compromise had on Visa financial institutions, merchants and cardholders. “CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts,” she said.
While the termination pertains to the U.S. region, it also will extend to Visa International members’ ability to connect to the Visa system through CardSystems, she said.
In a statement, MasterCard says it has required CardSystems to develop a detailed plan to bring its systems into compliance with MasterCard security requirements by Aug. 31. If CardSystems can’t demonstrate compliance by that date, “their ability to provide services to MasterCard members will be at risk.”
The association also said that it is meeting weekly with the processor and “as of today, we are not aware of any deficiencies in the systems that are incapable of being remediated. They have already ceased storing sensitive data in accordance with MasterCard rules,” the association said.
Discover Financial Services Inc. is in discussions with CardSystems and reviewing its systems, a spokeswoman says. “We’re doing our due diligence and we’ll make a decision once that process is completed,” she says.
Back...
