Visa USA and American Express are cutting ties with the payment-processing company that left 40-million credit and debit card accounts vulnerable to hackers in one of the biggest breaches of consumer data security.
CardSystems Solutions ”has not corrected, and cannot at this point correct, the failure to provide proper data security for Visa accounts,” said Rosetta Jones, a vice president at Foster City, California-based Visa, in a statement.
She said banks that issue Visa cards would have until October 31 to replace CardSystems with one of the hundreds of other payment-processing companies in the United States.
American Express also notified CardSystems it would sever its relationship, but spokesperson Judy Tenzer did not say when that will happen. CardSystems was a small part of American Express’ network, handling less than 0,5% of its transactions, she said.
Atlanta-based CardSystems released a statement saying it was ”disappointed and very surprised,” and hoped Visa would reconsider.
The company did not address American Express’ decision.
CardSystems told the FBI it learned of a potential breach of its computer network on May 22, and the break-in was publicly disclosed last month.
However, it appears the breach happened much earlier. Visa’s Jones said Australian banks had notified the credit card company about fraud in January that at the time seemed isolated. But later investigation revealed that the security hole at CardSystems was responsible, she said.
While information relating to 40-million accounts was laid bare in the break-in, credit card companies have said at least 200 000 were known to have been stolen, primarily MasterCard and Visa cards.
Visa said that while CardSystems has taken some remediating actions since the breach was disclosed, those could not overcome the fact that it was inappropriately holding on to account information — purportedly for ”research purposes” — when the breach occurred, in violation of Visa’s security rules.
MasterCard International is taking a different tack with CardSystems. The credit card company expects CardSystems to develop a plan for improving its security by August 31, ”and as of today, we are not aware of any deficiencies in its systems that are incapable of being remediated”, spokesperson Sharon Gamsin said.
”However, if CardSystems cannot demonstrate that they are in compliance by that date, their ability to provide services to MasterCard members will be at risk,” she said.
A spokesperson for Discover Financial Services, which also has a relationship with CardSystems, declined to comment.
Privately held CardSystems, headed by a former Visa executive, has 115 employees in Atlanta and Tucson, Arizona, where its system was hacked. Backed by such investors as Principal Financial Group, CardSystems has been in business for more than 15 years and processes more than $15-billion in payments annually. – Sapa-AP