Language Selection

English French German Italian Portuguese Spanish

Visa to Bar Transactions by Processor

Filed under
Security

Visa USA said yesterday that it would stop allowing the payment processor CardSystems Solutions to handle its transactions, months after the processor left the records of millions of cardholders at risk for fraud.

"CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts," said Tim Murphy, Visa's senior vice president for operations in a memorandum sent to several banks. "Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system."

Cardholders and merchants should not be affected by the change.

Visa said its decision to remove CardSystems came after a review and an independent investigation found that the payment processor had improperly stored cardholder data and did not have the proper controls in place.

It is unclear if MasterCard and American Express will take similar action, but with Visa accounting for more than half of all card transactions, the move raises questions about the future of CardSystems.

"I've never heard of them booting off a processor," said Avivah Litan, a security analyst at Gartner Inc., a technology research group. "The worst thing that I've heard is a processor that had to cough up $1 million."

The move came at least two months after Visa first learned that data had been compromised and just days before its executives, along with those of other major card companies, have been called to testify in Washington about their security practices. The chief executive of CardSystems, John M. Perry, is also expected to testify on Thursday.

In a statement released yesterday, CardSystems said Visa's decision was unexpected and upsetting. "We are disappointed and very surprised that Visa has decided to take this action today, not only because of the impact that it will have on our employees, but the disruption that it will cause to our 110,000 merchant customers," the processor said in a statement. "We hope that Visa will reconsider."

Visa has given at least 11 banks, which hired CardSystems to handle the merchant transactions, until the end of October to change processors, the memo said. Until then, CardSystems will be allowed to process Visa transactions as long as it has corrected any problems and allows a Visa-affiliated monitor on site to oversee its operations in Tucson. CardSystems is also banned from handling Visa transactions from its international affiliates or any new merchants, processors or member banks in the United States.

Visa had been weighing the decision for a few weeks but as recently as mid-June said that it was working with CardSystems to correct the problem. CardSystems hired an outside security assessor this month to review its policies and practices, and it promised to make any necessary upgrades by the end of August. CardSystems, in its statement yesterday, said the company's executives had been "in almost daily contact" with Visa since the problems were discovered in May.

Visa, however, said that despite "some remediation efforts" since the incident was reported, the actions by CardSystems were not enough.

"Visa cannot overlook the significant harm the data compromise and CardSystems' failure to maintain the required security protections has had on member financial institutions and merchants as well as the significant concerns it raised for cardholders," the company said in a statement.

At this point, it is unclear what the other branded card companies will do. MasterCard has previously said that it was giving CardSystems a "limited amount of time to demonstrate compliance with MasterCard security requirements" but never laid out a specific timetable.

Sharon Gamsin, a MasterCard spokeswoman, did not return calls seeking comment. Judy Tenzer, an American Express spokeswoman, said the company did not comment about its relationships with vendors. Leslie Sutton, a Discover Financial spokeswoman, could not offer an immediate response.
Visa's decision is the latest development since the disclosure in mid-June that the CardSystems computer network had been compromised, putting the cardholder names, account numbers and security codes of as many as 40 million credit and debit cardholders at risk for fraud. The information of about 22 million Visa cardholders was exposed; MasterCard reported the data of 14 million of its cardholders was potentially at risk; and the rest largely belonged to customers of American Express and Discover.

At the time, Mr. Perry of CardSystems acknowledged that the company had been improperly storing data, violating Visa and MasterCard security rules. He said data thieves directly obtained information related to some 200,000 cardholder accounts. The F.B.I and a group of federal banking regulators are now investigating.
In its statement, Visa offered its most scathing indictment of those security violations to date. The chief executive of CardSystem had "stated that the company knowingly retained unmasked magnetic stripe cardholder data, purportedly for 'research purposes,' " Visa said. "Visa's security requirements were adopted precisely for the purpose of protecting cardholder information and guarding against the type of data compromise recently experienced by CardSystems."

In the letter Visa sent to the banks, Mr. Murphy suggested that the data breach occurred as early as August 2004.

By ERIC DASH
The New York Times.

More in Tux Machines

Report from Debian SnowCamp and a Look at Solyd XK, a Debian-Based Distribution

  • Report from Debian SnowCamp: day 1
  • Report from Debian SnowCamp: day 2
    Of course, we’re still sorely lacking volunteers who would really care about mentors.debian.net; the codebase is a pile of hacks upon hacks upon hacks, all relying on an old version of a deprecated Python web framework. A few attempts have been made at a smooth transition to a more recent framework, without really panning out, mostly for lack of time on the part of the people running the service. I’m still convinced things should restart from scratch, but I don’t currently have the energy or time to drive it… Ugh.
  • Installing Solyd XK, a Debian based Linux distribution : Cooking With Linux
    It's time for some more "Cooking With Linux" without a net, meaning the video you are about to watch was recorded live. Today, I'm going to install a new Linux distribution (new to me, anyhow) called Solyd XK.

Aquaris E4.5 Ubuntu Phone - With Android

I ever so slightly regret the "upgrade" to Android. With a version less than the tablet, the UI changes are extremely noticeable, and the transition isn't as smooth. The device lags, and it just doesn't have enough processing power to give the necessary feel of goodness and elegance. On the other hand, you get tons of native applications that you can actually use, as opposed to the Ubuntu Touch idea. Shame really. For 'tis a compromise. If you ask me, I wholeheartedly embrace the M10 tablet upgrade, but on the phone, you might as well keep Ubuntu unless you need the device for serious use. If it's just an opportunistic call/SMS thing for when abroad and such, or to loan to friends, the original combo is adequate. If you need apps, then Android is the way to go, but do not except any miracles. It won't be speedy, and it won't be too pretty. All in all, an okay player. It is silly attaching sentiments to software or hardware, but I do guess I will fondly remember the Ubuntu phone attempt as a noble idea to make something great and fun. I could have kept the device in its original state, perhaps, but in the end, it would have ended in a pile of ancient stuff you keep around for a decade until you decide you need to throw it away to leave room for fresh memories and less ancient stuff. Having a flawless Android experience would have helped soften the edge, but as it is, it remains the bittersweet attempt at what could have been a revolution. The end. Read more Also: Ubuntu Desktop weekly update – February 23, 2018

​Docker and Red Hat News

  • ​Docker has a business plan headache
    We love containers. And, for most of us, containers means Docker. As RightScale observed in its RightScale 2018 State of the Cloud report, Docker's adoption by the industry has increased to 49 percent from 35 percent in 2017.
  • Mycroft Widget, Atos and Red Hat's New Cloud Container Solution, npm Bug and More
    Atos and Red Hat announced this morning "a new fully-managed cloud container solution - Atos Managed OpenShift (AMOS) - built on Red Hat OpenShift Container Platform". The press release adds, "Because AMOS is built on Red Hat OpenShift Container Platform, a container-centric hybrid cloud solution, it can deliver the flexibility customers seek from cloud-native and container-based applications."
  • Red Hat Decision Manager 7 Boosts BPM with Low-Code Approach
    Red Hat is perhaps best known for its Enterprise Linux platform, but it has been a player in the Business Process Management (BPM) suite for over a decade too. On Feb. 21, Red Hat Decision Manager 7 was officially announced as the successor to the company's JBoss Business Rules Management System (BRMS) product. Red Hat first released BRMS back in May 2009 which itself was an evolution of the JBoss Rules Engine.
  • Red Hat, Inc. (NYSE:RHT) – Active Stock Evaluation

FATHOM releases Crystallon

  • FATHOM releases Crystallon, an open-source software for lattice-based design
    Lattice structures are integral to 3D printed designs, and Aaron Porterfield, an industrial designer at additive manufacturing service bureau FATHOM, has developed Crystallon, an open source project for shaping them into structures.
  • FATHOM Introduces Open Source Software Project for Generating 3D Lattice Structures
    California-based FATHOM, which expanded its on-site managed services and announced important partnerships with Stratasys and Desktop Metal last year, is introducing a fascinating new open source project called Crystallon, which uses Rhino and Grasshopper3D to create lattice structures. FATHOM industrial designer Aaron Porterfield, also an Instructables member, developed the project as an alternative to designing lattices with commercially available software. He joined the company’s design and engineering team three years ago, and is often a featured speaker for its Design for Additive Manufacturing (DfAM) Training Program – and as the project developer, who better to explain the Crystallon project?