Credit Data Firm Might Close
Friday, July 22, 2005
The head of a payment processing firm that was infiltrated by computer hackers, exposing as many as 40 million credit card holders to possible fraud, told Congress yesterday that his company is "facing imminent extinction" because of its disclosure of the breach and industry's reaction to it.
"As a result of coming forward, we are being driven out of business," John M. Perry, chief executive of CardSystems Solutions Inc., told a House Financial Services Committee subcommittee considering data-protection legislation. He said that if his firm is forced to shut down, other financial companies will think twice about disclosing such attacks.
Visa USA Inc. and American Express Co. recently announced after investigating the breach at CardSystems' Tucson, Ariz., facility that they would no longer allow the firm to process transactions made with their cards.
Atlanta-based CardSystems is one of several firms that serve as a little-known hub in the nation's commerce system, transferring payments between the banks of credit card-using consumers and the banks of the merchants where purchases are made.
Perry called the decisions by Visa and American Express draconian and said that unless Visa reconsiders, CardSystems would close and put 115 people out of work. CardSystems handles only a small percentage of American Express transactions, while Visa accounts for a large part of its business.
Perry said closing his company could disrupt the ability of merchants to complete transactions, since it might take time for them to arrange for alternate payment processors. For that reason, Visa said it is not cutting off the company until Oct. 31.
While Perry said his company is doing everything it can to ensure that such a breach never occurs again, Visa said it could not overlook that CardSystems knowingly violated contractual requirements for how long credit card data were supposed to be stored and how they were secured.
Rosetta Jones, a Visa USA spokeswoman, said after the hearing that the credit card giant also has had difficulty getting sufficient information from CardSystems since the breach occurred. Nonetheless, at the urging of Rep. Rick Renzi (R-Ariz)., Visa agreed to another meeting with CardSystems before it severs ties with the firm.
Neither Perry nor representatives of the major credit card companies could explain at the hearing why an audit of CardSystems in 2003 did not address its computer vulnerabilities or its practice of retaining some data for research purposes.
Of the 40 million credit card numbers in CardSystems' data banks, roughly 240,000 are known to have been downloaded in May by the hackers, who implanted malicious computer code into the company's network last fall to gain access to the information.
The files did not contain Social Security numbers, driver's license data or other personal information frequently targeted by identity thieves.
Perry said that he knows of no purloined credit card numbers that were used fraudulently, although MasterCard -- which first announced the breach to the public last month -- said that "a small number" of card numbers were misused.