The following text is copyright 2005 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

Time to shred that MasterCard?

 

By Scott Bradner

 

Half of the shoes have dropped on CardSystems but its unclear as of now if the others will as well.  They should, and CardSystems should be shut out of the credit card processing business.

 

Some things, but not enough, have happened since I last wrote about CardSystems Solutions (The Winner So Far: CardSystems Solutions http://www.networkworld.com/columnists/2005/062705bradner.html).  Most importantly, Visa announced that CardSystems would be barred from processing Visa card payments as of the end of October 2005.  American Express followed Visa's lead a few days later.  But MasterCard seems to have decided to forgive and forget and let CardSystems keep processing MasterCards as long as CardSystems fixes their security soon. (http://www.cardsystems.com/news/MasterCard%20Announcement%20071905.pdf)  In other words, MasterCard decided that business as usual was just fine. Discover has not yet made up its mind on what it's going to do.

 

The representatives of the credit card companies and the CEO of CardSystems Solutions also testified in front of a congressional subcommittee hearing on "Credit Card Data Processing: How Secure Is It?"  But nothing much new seems to have come out of the hearing.  The prepared statement of the CardSystems Solutions CEO John Perry gives the chronology and details of the security breach and implies that the company will have to close if Visa follows though on its decision to terminate CardSystems Solutions authority to process Visa cards. (http://www.cardsystems.com/pdf/CardSystemsWrittenTestimony.pdf) 

 

Perry's statement also says that it is clear that records of at least 239,000 unique credit cards were downloaded, records that had been stored in direct violation of Visa and MasterCard security standards.  Visa makes it clear (6 times) in a two page FAQ posted on their site that card holders are not responsible for fraud resulting from these stolen card records but mail order and Internet merchants can be.

(http://usa.visa.com/personal/security/security_breach.html?it=search)  Individual cardholders can be significantly inconvenienced when their cards get stolen because they may have to argue that they did not make specific purchases and get new cards.  As you might expect a class action lawsuit has already been filed in this case. (www.techfirm.com/cardsystems.pdf)

 

I no longer have a MasterCard (my bank switched me to Visa earlier this year) but if I did I would cancel and shred it.  MasterCard has shown by its inaction that the general felling that the card companies have little real interest in dealing with the security problems that plague the credit card industry is at least partially correct. A lot of people feel that the credit card companies have little real incentive to fix security problems because they are insulated from the suffering of the merchants and credit card holders.  Visa and AmEx have shown that, at least sometimes, this may be a false assumption.  But MasterCard has reinforced the common wisdom.

 

CardSystems Solutions is a company that, by their own admission, purposefully and with full understanding violated MasterCard's own rules and put tens of millions of credit card users at risk. If this does not get MasterCard to act I hate to imagine what it would take. 

 

CardSystems CEO Perry expresses surprise at Visa's actions. It seems he would rather the kind of penalty that the Security and Exchange Commission normally settles for - an agreement to not be bad in the future.  I'm also surprised at Visa's actions - pleasantly so.

 

disclaimer: You can't not be surprised at what happens at Harvard - it's so large and diverse but the university has not expressed an opinion on shredding MasterCards so the above is my own.