This story appeared on Network World at

http://www.networkworld.com/columnists/2005/080105bradner.html

'Net Insider

Time to dump that MasterCard?

By Scott Bradner, Network World, 08/01/05

Half of the shoes have dropped on CardSystems, but it's unclear whether the others will. They should, and this company should be shut out of the credit card-processing business.

Since I last wrote about CardSystems Solutions, Visa has announced that the company would be barred from processing Visa card payments as of the end of October. American Express followed suit. But MasterCard seems to have decided to forgive and forget and let CardSystems keep processing MasterCards as long as it fixes its security soon.

In other words, MasterCard decided that business as usual was just fine. Discover has not yet made up its mind about what it's going to do.

The representatives of the credit card companies and the CEO of CardSystems also testified at a congressional subcommittee hearing on "Credit Card Data Processing: How Secure Is It?" But nothing much new seems to have come out of the hearing.

The prepared statement of CardSystems CEO John Perry gives the chronology and details of the security breach, and implies that the company will have to close if Visa follows though on its decision to terminate CardSystems' authority to process Visa cards.

Perry also stated it is clear that records of at least 239,000 unique credit cards were downloaded, records that had been stored in direct violation of Visa and MasterCard security standards. Visa makes it clear (six times) in a two-page FAQ posted on its site that card holders are not responsible for fraud resulting from these stolen card records, but mail order and Internet merchants could be.

Individual card holders can be significantly inconvenienced when their cards get stolen, because they may have to argue that they did not make specific purchases and get new cards. As you might expect, a class action lawsuit has been filed.

I no longer have a MasterCard (my bank switched me to Visa earlier this year), but if I did, I would cancel and shred it. A lot of people believe that credit card companies have little real incentive to fix security problems because they are insulated from the suffering of the merchants and credit card holders. Visa and AmEx have shown that, at least sometimes, this may be a false assumption. But MasterCard has reinforced the common wisdom.

CardSystems is a company that, by its own admission, purposefully and with full understanding violated MasterCard's rules and put tens of millions of credit card users at risk. If this does not get MasterCard to act, I hate to imagine what would.

CardSystems' Perry expressed surprise at Visa's actions. It seems he would rather face the kind of penalty that the Securities and Exchange Commission normally settles for, an agreement to not be bad in the future. I'm also surprised at Visa's actions - pleasantly so.

Disclaimer: You can't not be surprised at what happens at Harvard - it's so large and diverse. But the university has not expressed an opinion about shredding MasterCards, so the above is my own.