By Jonathan Krim
Washington Post Staff Writer
Friday, July 22, 2005
The head of a payment processing firm that was infiltrated by computer hackers, exposing as many as 40 million credit card holders to possible fraud, told Congress yesterday that his company is "facing imminent extinction" because of its disclosure of the breach and industry's reaction to it.
"As a result of coming forward, we are being driven out of business," John M. Perry, chief executive of CardSystems Solutions Inc., told a House Financial Services Committee subcommittee considering data-protection legislation. He said that if his firm is forced to shut down, other financial companies will think twice about disclosing such attacks.
Visa USA Inc. and American Express Co. recently announced after investigating the breach at CardSystems' Tucson, Ariz., facility that they would no longer allow the firm to process transactions made with their cards.
Atlanta-based CardSystems is one of several firms that serve as a little-known hub in the nation's commerce system, transferring payments between the banks of credit card-using consumers and the banks of the merchants where purchases are made.
Perry called the decisions by Visa and American Express draconian and said that unless Visa reconsiders, CardSystems would close and put 115 people out of work. CardSystems handles only a small percentage of American Express transactions, while Visa accounts for a large part of its business.
Perry said closing his company could disrupt the ability of merchants to complete transactions, since it might take time for them to arrange for alternate payment processors. For that reason, Visa said it is not cutting off the company until Oct. 31.
While Perry said his company is doing everything it can to ensure that such a breach never occurs again, Visa said it could not overlook that CardSystems knowingly violated contractual requirements for how long credit card data were supposed to be stored and how they were secured.
Rosetta Jones, a Visa USA spokeswoman, said after the hearing that the credit card giant also has had difficulty getting sufficient information from CardSystems since the breach occurred. Nonetheless, at the urging of Rep. Rick Renzi (R-Ariz)., Visa agreed to another meeting with CardSystems before it severs ties with the firm.
Neither Perry nor representatives of the major credit card companies could explain at the hearing why an audit of CardSystems in 2003 did not address its computer vulnerabilities or its practice of retaining some data for research purposes.
Of the 40 million credit card numbers in CardSystems' data banks, roughly 240,000 are known to have been downloaded in May by the hackers, who implanted malicious computer code into the company's network last fall to gain access to the information.
The files did not contain Social Security numbers, driver's license data or other personal information frequently targeted by identity thieves.
Perry said that he knows of no purloined credit card numbers that were used fraudulently, although MasterCard -- which first announced the breach to the public last month -- said that "a small number" of card numbers were misused.
Law enforcement agencies, including the FBI, are investigating the incident.
Subcommittee members, while condemning the data breaches that have exposed millions of consumers to possible fraud or identity theft in the past year, disagreed on what Congress should do about it.
"The CardSystems incident is a spectacular failure" of private industry to effectively secure personal data, Rep. Carolyn B. Maloney (D-N.Y.) said in urging greater regulation. "We need to provide the legal structure to fix it."
In response, Rep. Tom Price (R-Ga.), admonished members against "greater regulation and greater penalties, which is oftentimes the knee-jerk reaction" to problems.
With numerous House and Senate bills already introduced to address identity fraud and theft, and several more being prepared, both parties expect legislative action.
Most bills would require disclosure of breaches, though the industry supports limiting notification to cases in which there is significant risk that the data could be used for fraud or identity theft.
Representatives of the credit card companies yesterday also supported proposals to extend federal security requirements to payment processors, not just banks and financial institutions covered by current law.
Some proposals go further and are likely to be opposed by the financial industry.
A Senate Commerce Committee bill would allow consumers to "freeze" their credit, preventing anyone from getting loans or credit approval in their names without express permission.
Evan Hendricks, editor of Privacy Times, who testified yesterday as a privacy expert, said he supports giving consumers the right to sue when they are damaged by breaches caused by lax security.
"Some companies won't have adequate security unless they are forced to," he said.