This story appeared on Network World at

http://www.networkworld.com/columnists/2005/062705bradner.html

'Net Insider

The winner so far: CardSystems Solutions

By Scott Bradner, Network World, 06/27/05

Scott Bradner

We have a new leader in the race to see which vendor can quantitatively show the least regard for the people whose data they hold. CardSystems Solutions , a third-party credit card processor, now has admitted disregarding the credit card industry security rules they should have been following. In light of such a willful disregard of mandated rules, I do not understand why CardSystems is still in the credit card processing business.

Some industry leaders have told Congress it would be a bad idea to require that credit card companies tell people their private data might be at risk after a failure of computer or organizational security. They have claimed that people would soon become overwhelmed by all the notices and give up.

The industry seems determined to test that hypothesis. For the last few months there has been a steady drumbeat of announcements, most but not all driven by a California law that requires such announcements when the privacy of people's financial information is at risk.

So far, people and the media are still interested, at least in the big cases such as a recent one in which a hacker accessed information about 40 million credit card holders at CardSystems .

I wonder what the reaction to a future breach exposing a mere 5 million people would be. The announcement of the break at CardSystems came from MasterCard, but holders of all the major brands of credit cards were at risk. Visa seemed a bit ticked off that MasterCard has spilled the beans.

Visa said that it was working with law enforcement and it hoped that MasterCard telling its cardholders the truth would not hinder the investigation. Seems to me that Visa's priorities are misplaced.

In my opinion, hiding the truth in the name of law enforcement is an excuse to delay taking responsibility. MasterCard reported that CardSystems did not meet the current Payment Card Industry Security Standard. These mandates , which are actually quite good, were supposed to be in effect at companies the size of CardSystems last September. Yet, half a year later, a company processing millions of credit cards per year was ignoring parts of the standard and now has admitted to doing so.

According to the payment card industry, failure to meet the requirements can result in a permanent prohibition of participation in credit card programs. If the payment card industry is as serious about security as it claims to be, it will use this willful disregard of its own rules to send a message - it will permanently ban CardSystems from processing credit card transactions.

I feel sorry for some of the people that work at CardSystems but not sorry enough to suggest that the company be given a slap on the wrist if it promises to be good in the future.

By the way, three days after this column is published the PCI Security Standard will go into effect for all organizations that process credit cards in any way. If you process credit cards, do not mimic CardSystems - meet the standard.

Disclaimer: Harvard sets standards in some areas and follows them in others but the university has not expressed an opinion about CardSystems, so the above suggestion is my own.