Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lost Credit Data Improperly Kept, Company Admits

Posted by timothy on from the just-researching-your-privacy-loss-tolerance dept.

Zak3056 writes "Last week, Mastercard announced that up to 40,000,000 credit card numbers may have been compromised by one of their processing companies. Today, the New York Times (registration, along with first born child, required) is reporting that the company in question, CardSystems Solutions, should not have been retaining that data to begin with. John M. Perry, CEO of the processor in question, claims the data was merely being kept for 'research purposes.' The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."

7 of 272 comments (clear)

  1. No Reg Link by OverlordQ · · Score: 4, Informative

    I'm sure it's been mentioned every time a NYT article is posted, but use the NYT Link Generator .

    Btw, NoReg for this article.

    --
    Your hair look like poop, Bob! - Wanker.
  2. Credit Card Doublespeak by Qzukk · · Score: 5, Informative
    "The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."
    Should be read as
    "The number of compromised Master Card accounts from accountholders in California where we actually have to report this is about 68,000. Another 132,000 people in California with Visa, American Express, and other credit card companies' cards also had their account information taken"
    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  3. Ad Free Link by ravenspear · · Score: 4, Informative

    Here is the reg free and "fricken huge flash ad skip" link.

  4. NYT ?? What gives by Rac3r5 · · Score: 5, Informative

    I don't wanna be a troll here, but please, there are a dozen other sites that have the same article. Do we have to rely on a site that requires u to log in?
    http://www.internetnews.com/security/article.php/3 513866/

  5. So, there's a new name for a file? by RealAlaskan · · Score: 3, Informative
    "We should not have been doing that," Mr. Perry said. "That, however, has been remediated."

    Translation: ``We've come up with some fiction which will let us maintain plausible deniability next time we lose data we shouldn't have had in the first place.''

    As for the sensitive data, he added, "We no longer store it on files."

    Translation: ``We're going to come up with some nifty new word to replace the word `file', so we can truthfully say that we no longer have your data in our files.''

    More seriously, it makes good sense to me that they were retaining data for research purposes. They'd be irresponsible not to, just as surely as they were irresponsible not to have an air gap between that data and the internet.

    --
    See what I've been reading.
  6. Re:Support legislation making this a crime. by cdavies · · Score: 3, Informative

    In the UK it is already a crime under the 1988 Data Protection Act, under the heading of recklessly disclosing personal information.

    Thats why this never happens in the UK.

  7. Read here for how Visa/Mastercard control this crp by twigles · · Score: 3, Informative
    Ok, Visa and Mastercard have a set of thresholds and guidelines for data security, retention and the like. How it works in a nutshell is once a business, be it your local cable provider or some card processing company or whatever, hits some number (not sure what that is) of transactions or money, they have to conform to a set of "best practices" defined by Visa/Mastercard (the two have agreed to the same set of requirements). Look here for more info or just google for "visa cisp".

    Essentially they are just that: best practices. I just did an audit prepping a company for Visa CISP certification and most things they require are pretty standard like password complexity, physical security, encryption used over public links, etc.. However the security all revolves around the credit card number so it's a little more focused than a normal security gig.

    Also, Visa/Master require that vendors store as little info as possible in as few places as possible, and that they encrypt it in storage. Specifically no one is EVER supposed to store the CVV/CVC code or any portion of the magnetic stripe info. Also specific to this set of requirements, a subpoint of it being CC#-centric, is that even non-mission-critical systems have to have the same high level of security if they store CC info. So no one gives a shit if you are doing "research" or just processing sales, you HAVE to protect the numbers, ideally by encrypting that field in Oracle or something equivalent so when FedEx loses your backup tape it isn't a disaster.

    One last caveat is that the program is still ramping up. It started about 4 years ago but most companies are struggling to implement the reqs still, and Visa is very understanding since if they are too stringent and cut off the offending vendor they lose revenue.