Regulators Start Inquiry in Data Loss

[David Farber <dave () farber net>]

Note they will not tell us the Banks involved. djf

June 22, 2005
Regulators Start Inquiry in Data Loss

By ERIC DASH
Federal banking regulators said yesterday that they had started an  
investigation into CardSystems Solutions, the payment processor where  
a security breach has put millions of American cardholders at risk  
for fraud.

The Federal Financial Institutions Examination Council, an  
interagency group of the five federal banking regulators, said the  
investigation began last week. Officials are assessing security at  
CardSystems' operational centers, at the major credit card companies  
and at any banks that may be involved, the council said. It would not  
identify the banks contacted in the inquiry.

The investigation is expected to take two to four weeks. There is a  
separate criminal investigation by the Federal Bureau of Investigation.

MasterCard said Friday that information from 40 million credit and  
debit card accounts was exposed after an intruder gained access to  
CardSystems' computer network. CardSystems has acknowledged that the  
account information of perhaps 200,000 cards from Visa, MasterCard  
and American Express was stolen.

"We became aware of an issue, and we will now conduct an  
examination," said Michael L. Jackson, the associate director of the  
consumer protection division of the Federal Deposit Insurance  
Corporation, a member of the interagency council.

"When you are talking about a theft of that size, that is the logical  
step," said Mr. Jackson, who oversees the regulation of information  
technology for the banking industry.

A CardSystems spokeswoman said the company declined to comment.

The federal banking regulators are interviewing officials at  
CardSystems to determine whether its computer system and internal  
controls met government security guidelines. They are also reviewing  
the results of the processing company's financial and security audits.

"We look to see if they have had vulnerability assessments, scans,  
and if they have firewalls," Mr. Jackson said, and the assessment  
will also look at whether the customer data was encrypted. "There can  
be differences in what our expectations are and their expectations are."

Mr. Jackson said federal regulators have also contacted MasterCard,  
Visa, American Express and the other card companies to help assess  
what went wrong at CardSystems.

A Visa spokeswoman, Rosetta Jones, said the company met with the  
regulator as part of a regular review, but the data breach was only  
one of the items discussed. representatives of MasterCard and Visa  
said they did not know if their companies had been contacted by the  
regulators.

Mr. Jackson said the regulators are identifying the banks that issue  
credit cards to consumers and transfer money to the merchants. Those  
banks are also responsible for ensuring that the payment processors  
they hire follow the security rules of the payment associations.

"We are discussing with the banks to find out whatever information  
there is about the breach," Mr. Jackson said. "We want to know what  
they know."

Security oversight of the major players in the credit card industry  
is as complicated as the multistep payment process itself. The banks  
that issue cards and hire the processing companies may be regulated  
by one of five federal agencies; they are also subject to the  
regulatory council's information technology and security assessment  
every 18 to 36 months.

The payment associations have no direct federal financial regulator,  
but they are also subject to the council's security review on a  
similar schedule. Both groups may also be subject to informal reviews.

There is, however, no regular security assessment for processing  
companies, like CardSystems, even though they handle the transaction  
data of millions of consumers each day. Assessments of processors are  
conducted on an as-needed basis. "When there are issues or risks are  
identified, we conduct an investigation," Mr. Jackson said.

Associations like Visa and MasterCard impose rules for payment  
processors that handle data linked to their network. The processors  
are required to pass an annual outside security audit to ensure they  
meet the associations' standards. They are also subject to quarterly  
network scans to detect any vulnerabilities, but those results are  
made available to the payment associations only on request. The  
primary oversight of a processing company's security, however, is  
left to the banks that pay for their services.

"MasterCard requires our banks to comply with all our standards,"  
said Joshua Peirez, a senior vice president at MasterCard who is  
responsible for policy. Mr. Peirez said it was up to the banks, and  
those with whom they contract, to ensure compliance.

The interagency council has only indirect enforcement power over the  
processors.

"We don't have enforcement over these" companies, Mr. Jackson said.  
"We have enforcement over financial institutions."

The banks, he added, "can assess monetary penalties" against  
noncompliant processors, and ultimately, "They don't have to sponsor  
them anymore."

-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/