Slashdot Mirror
Lost Credit Data Improperly Kept, Company Admits
Zak3056 writes "Last week, Mastercard announced that up to 40,000,000 credit card numbers may have been compromised by one of their processing companies. Today, the New York Times (registration, along with first born child, required) is reporting that the company in question, CardSystems Solutions, should not have been retaining that data to begin with. John M. Perry, CEO of the processor in question, claims the data was merely being kept for 'research purposes.' The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."
I'm sure it's been mentioned every time a NYT article is posted, but use the NYT Link Generator .
Btw, NoReg for this article.
Your hair look like poop, Bob! - Wanker.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Here is the reg free and "fricken huge flash ad skip" link.
I don't wanna be a troll here, but please, there are a dozen other sites that have the same article. Do we have to rely on a site that requires u to log in?3 513866/
http://www.internetnews.com/security/article.php/
Translation: ``We've come up with some fiction which will let us maintain plausible deniability next time we lose data we shouldn't have had in the first place.''
As for the sensitive data, he added, "We no longer store it on files."
Translation: ``We're going to come up with some nifty new word to replace the word `file', so we can truthfully say that we no longer have your data in our files.''
More seriously, it makes good sense to me that they were retaining data for research purposes. They'd be irresponsible not to, just as surely as they were irresponsible not to have an air gap between that data and the internet.
See what I've been reading.
Are we hearing about this more, or is it happening more?
We're hearing about it more because California passed a new law requiring disclosure of privacy breaches. California citizens get notified and that opens the story to the news media.
By the way, this is the same California that the conservatives love to bash for being "anti-business".
You're welcome.
It's simple: I demand prosecution for torture.
We used them as processors for about a year. We couldn't get rid of them fast enough. They hid all sorts of fees in our merchant charges and the "great deal" we got from them had so many exceptions that it was worthless. It left a real bas taste in my mouth. I sure hope they get the same treatment in reverse. Ha!
From TFA:
MasterCard said Saturday that 68,000 of its own account numbers were especially at risk because they were in a file found to have actually been "exported from the system."
In other words, 68,000 numbers were in a file exported from the system, but the system still contained 40 million credit card numbers from different credit card companies (Mastercard, Visa, American Express, etc).
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
In the UK it is already a crime under the 1988 Data Protection Act, under the heading of recklessly disclosing personal information.
Thats why this never happens in the UK.
Essentially they are just that: best practices. I just did an audit prepping a company for Visa CISP certification and most things they require are pretty standard like password complexity, physical security, encryption used over public links, etc.. However the security all revolves around the credit card number so it's a little more focused than a normal security gig.
Also, Visa/Master require that vendors store as little info as possible in as few places as possible, and that they encrypt it in storage. Specifically no one is EVER supposed to store the CVV/CVC code or any portion of the magnetic stripe info. Also specific to this set of requirements, a subpoint of it being CC#-centric, is that even non-mission-critical systems have to have the same high level of security if they store CC info. So no one gives a shit if you are doing "research" or just processing sales, you HAVE to protect the numbers, ideally by encrypting that field in Oracle or something equivalent so when FedEx loses your backup tape it isn't a disaster.
One last caveat is that the program is still ramping up. It started about 4 years ago but most companies are struggling to implement the reqs still, and Visa is very understanding since if they are too stringent and cut off the offending vendor they lose revenue.
(I work for a credit card processor.)
We need to be more specific. Some companies are credit card issuers -- they create the card numbers and own the bank accounts attached to those cards. Those companies end up collecting interchange and assessments (processing fees) on the sale, but then take the money back again.
Some companies (like the one I work for, and like the one in the story) are credit card processors. We don't issue cards, we process payments against those cards and deposit funds in merchants' bank accounts. We also bear financial responsibility for our merchants. If one of our merchants were to run a ton of fraudulent sales, take the money, and then flee to Mexico or something, we would be responsible for paying for the proceeds from those fraudulent sales to be returned to their customers. When a chargeback happens, we charge our merchants a chargeback handling fee, but we invest far more time and labor into processing the chargeback than what we bill.
Worse than that, if we're found to be responsible for a security problem like this, the bad press, fines, and required security audits and certifications cost much more money than would be made from processing fees.
Visa and Mastercard have this under control. They have created more than enough negative consequences for these kinds of actions that nobody would ever deliberately leak card numbers.
(Nobody ever does this, but Google for the CISP and PCI programs, with enough other search terms that you get credit-card-industry results and not PCI bus or whatever.)
Do you know what is supposed to happen with signed credit card receipts?
The merchant is supposed to keep them in a safe retrievable location for at least 18 months.
Data stored on computers? The bank we process through doesn't even know if we *own* a computer.
That's your bank's problem, not Mastercard/Visa's. I work at a processor that does credit card processing online and with software.
there is no guidance from Visa/MC/Amex/Discover on this at all.
yes. indeed there is. your processor should have given you (when you signed up with them) an operating procedures guide and a training explaining how you should and shouldnt process.
While I'm at it, let me explain something:
Mastercard and Visa are non-profit organizations. They =just= make the regulations. Issuing banks and processors are the ones that have to abide by the rules, and make money doing so.
http://www.visa.com/cisp
Read and enjoy. Deadline is the 30th of this month.
My understanding is that the credit card companies have their "zero liability" policy (consumer doesn't pay for fraudulent charges) in order to do just that. In one fell swoop, it keeps them from being sued by consumers (since they can't lose money from theft) and allows them to firmly place the burden on the processors for being responsible for the data. They dodge two bullets at once.
In Soviet Russia, sig types you!