Lost Credit Data Improperly Kept, Company Admits

Zak3056 writes "Last week, Mastercard announced that up to 40,000,000 credit card numbers may have been compromised by one of their processing companies. Today, the New York Times (registration, along with first born child, required) is reporting that the company in question, CardSystems Solutions, should not have been retaining that data to begin with. John M. Perry, CEO of the processor in question, claims the data was merely being kept for 'research purposes.' The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."

Re:Slight difference?

[Tuxedo+Jack]

Even so, the issue is that it was still improperly retained - and that corporate America isn't giving a damn about security for the average joe's accounts and such.

This isn't working out..

[aero2600-5]

Apparently, keeping credit card numbers secure isn't working out. Why? Because it's just a number. The major credit companies need to revise how the whole credit system works. If they assume that everyone knows everyone else's credit card number by default, they should be able to devise a system a hell of a lot more secure than some 16 digit number. Your credit card number has to be retained by anyone you do business with so that they know who you are. Credit card security needs some major improvements, like a passphrase, password, or even a PIN. A 4-digit PIN would make a world of difference, but if you're going to fix it, you should fix it right. A passphrase would be best. Something that's communicated when the authorization is taking place, checked against a nice secure server, and then is forgotten and not retained. The fact that a system of this nature is not yet in place just shows that the major credit card companies just don't give a shit.
/end rant

Aero

Re:This isn't working out..

[bracher]

I agree that something more secure than a 16-digit number is certainly feasible and needed. But it shouldn't be something that needs to be passed through a third party. The card should be a smart card capable of signing a transaction, and only the signature should be transmitted.

Something that's communicated when the authorization is taking place, checked against a nice secure server, and then is forgotten and not retained.

The essential point you're missing here is that, currently, your 16-digit card number _is_ this something. The core of the problem (this time at least) is that the processing company wasn't following those rules. What keeps them from holding on to your passphrase for 'analysis'?

Re:This isn't working out..

[Stonehand]

Well, judging by the article, Mastercard specifically told the processor *not* to retain information -- and the latter did, anyway. The policy already existed.

No, to block things you'd need to do more than tell them not to retain information. You'd need to make sure that even if they did, it was useless. This might point towards requiring people to generate one-time passwords, which would probably be a fair expensive.

Re:This isn't working out..

[spood]

Credit card fraud is not a technical problem. Using the old adage, we cannot apply a technical solution. All of the extra verification proposed implies an added cost that will still not solve the problem - if you require a passphrase or some secondary authentication, thieves will just steal the second factor as well.

The best solution is to shift the responsibility for fraud to those that are responsible for allowing it - the merchants who process card transactions. This is how it is already done, and the fact that plenty of merchants still do business with credit cards proves that the system works, despite the fact that CC companies don't "give a shit."

As a consumer, I'd be perfectly fine with everyone knowing my credit card number because I'm not responsible for fraudulent purchases by law. This is a system that works.

What you should really be upset about it is the system that allows identity theft to run rampant. Though the two are related, there is a fundamental difference between someone else using a credit card you've established in your name and someone else using a credit card that they've established in your name.

The current system is much weaker against this type of activity because the burden of responsibility for fraud is still heavily on the consumer rather than the parties that allow identity theft to be profitable (mainly banks, but to a lesser extent any industry that relies on credit reporting). The solution to this problem is not so clear.

Time for a new system

[lawpoop]

It's time for a new system. This credit card BS is getting ridiculous. Credit card numbers are easy to hack/steal, so cc comapnies start asking for address verification, or for that 3-digit 'security' code on the back. Now, address and security code information are being stolen.

We need a new system based on PGP or something. A system where we have single-use transaction numbers, and you have give a PGP signature for each usage of a transaction number. Right now it's way to easy for hackers to steal credit card information, or for unethical merchants to make unauthorized charges. We need to put the consumer back in charge of their own finances.

Currently , any 'merchant' can charge whatever they want once they have your credit card number. Sure, you can issue a chargeback or contest the charges, but why should *you* have to clean up after someone messes with your account? It's ridiculous.

Tougher privacy laws.

[Goalie_Ca]

People have to realize that privacy isn't just some criminal's ideal to keep from getting caught. If the data is out there it will be seen, hacked, sold and abused.

We end up paying in the end...

[Toadius]

Damn it, I'm sick of this weekly news of credit card security breaches. In this case the data wasn't even encrypted.

"Zero liability for customers means that fraudulent charges come out of a bank or store's coffers in the form of higher merchant transaction fees. 'The retailers will pay for it and the issuing banks will get rich off it,' Ms. Litan said. 'It's just another revenue stream.'"

Sorry, I call bullshit. Retailers pass the higher costs onto you and I.

"'We should not have been doing that,' Mr. Perry said. 'That, however, has been remediated.' As for the sensitive data, he added, 'We no longer store it on files.'"

Thats just fine Mr. Perry. Now may I have the credit card numbers, addresses, phone numbers, ss#'s, etc. of you, your family and the execs at Cardsystems Solutions? I *promise* to keep them safe and give them the same care you provided the other customers....

Why are they still in business?

[stinerman]

From TFA:

Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.

Asked about compliance with Visa's standards, a Visa spokeswoman, Rosetta Jones, said, "This particular processor was not following Visa's security requirements when we found out there was a potential data compromise."

Question:

Why is CardSystems Solutions still a processor for Visa and MasterCard?