A desire to further research incomplete transactions was cited as the reason for keeping credit card details, leading to the exposure of 40 million credit card numbers.
Oops.
Based on comments from the CEO of Atlanta-based CardSystems Solutions, all that private payment information should never have been kept on its systems in the first place.
“We should not have been doing that,” said John Perry in a New York Times article. “That, however, has been remediated. We no longer store it on files.”
MasterCard was very quick to point out the wrongness of the company’s practice. “CardSystems provides services and is supposed to pass that information on to the banks and not keep it,” said Joshua Peirez, a MasterCard senior vice president. “They were keeping it.”
Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard’s standards. “They were in violation of our rules,” she said.
Existing rules from Visa and MasterCard prohibit the sort of credit card retention practiced by CardSystems. After a transaction has been processed, third party processors are supposed to discard payment details.
Of the 40 million credit card accounts exposed and potentially accessed by a criminal hacker, around 200,000 of those records are known to have been stolen. They include MasterCard, Visa, and other credit card brands.
A security breach at CardSystems occurred when a vulnerability in their system allowed someone to place an unauthorized program on their network, according to reports. The program allowed the criminal to obtain and transfer out credit card numbers.
After numerous fraud instances experienced by MasterCard starting in the middle of April, they and Visa jointly demanded that CardSystems submit its systems to a third-party security audit. On May 22, security researchers found the rogue program.
With a case involving so many customers potentially being affected, Congress will likely be compelled to pass legislation mandating industry security standards. Banks and credit card companies have insisted they could do a proper job without federal intervention.
But this latest massive case of theft comes on the heels of several other breaches this year involving personal details of individuals. Congress will not likely sit back and let this one go by without action, even in the face of intense lobbying from the powerful bank and credit card companies.
David Utter is a staff writer for Murdok covering technology and business. Email him here.