[IP] Regulators Start Inquiry in Data Loss
Note they will not tell us the Banks involved. djf
June 22, 2005
Regulators Start Inquiry in Data Loss
By ERIC DASH
Federal banking regulators said yesterday that they had started an
investigation into CardSystems Solutions, the payment processor where
a security breach has put millions of American cardholders at risk
for fraud.
The Federal Financial Institutions Examination Council, an
interagency group of the five federal banking regulators, said the
investigation began last week. Officials are assessing security at
CardSystems' operational centers, at the major credit card companies
and at any banks that may be involved, the council said. It would not
identify the banks contacted in the inquiry.
The investigation is expected to take two to four weeks. There is a
separate criminal investigation by the Federal Bureau of Investigation.
MasterCard said Friday that information from 40 million credit and
debit card accounts was exposed after an intruder gained access to
CardSystems' computer network. CardSystems has acknowledged that the
account information of perhaps 200,000 cards from Visa, MasterCard
and American Express was stolen.
"We became aware of an issue, and we will now conduct an
examination," said Michael L. Jackson, the associate director of the
consumer protection division of the Federal Deposit Insurance
Corporation, a member of the interagency council.
"When you are talking about a theft of that size, that is the logical
step," said Mr. Jackson, who oversees the regulation of information
technology for the banking industry.
A CardSystems spokeswoman said the company declined to comment.
The federal banking regulators are interviewing officials at
CardSystems to determine whether its computer system and internal
controls met government security guidelines. They are also reviewing
the results of the processing company's financial and security audits.
"We look to see if they have had vulnerability assessments, scans,
and if they have firewalls," Mr. Jackson said, and the assessment
will also look at whether the customer data was encrypted. "There can
be differences in what our expectations are and their expectations are."
Mr. Jackson said federal regulators have also contacted MasterCard,
Visa, American Express and the other card companies to help assess
what went wrong at CardSystems.
A Visa spokeswoman, Rosetta Jones, said the company met with the
regulator as part of a regular review, but the data breach was only
one of the items discussed. representatives of MasterCard and Visa
said they did not know if their companies had been contacted by the
regulators.
Mr. Jackson said the regulators are identifying the banks that issue
credit cards to consumers and transfer money to the merchants. Those
banks are also responsible for ensuring that the payment processors
they hire follow the security rules of the payment associations.
"We are discussing with the banks to find out whatever information
there is about the breach," Mr. Jackson said. "We want to know what
they know."
Security oversight of the major players in the credit card industry
is as complicated as the multistep payment process itself. The banks
that issue cards and hire the processing companies may be regulated
by one of five federal agencies; they are also subject to the
regulatory council's information technology and security assessment
every 18 to 36 months.
The payment associations have no direct federal financial regulator,
but they are also subject to the council's security review on a
similar schedule. Both groups may also be subject to informal reviews.
There is, however, no regular security assessment for processing
companies, like CardSystems, even though they handle the transaction
data of millions of consumers each day. Assessments of processors are
conducted on an as-needed basis. "When there are issues or risks are
identified, we conduct an investigation," Mr. Jackson said.
Associations like Visa and MasterCard impose rules for payment
processors that handle data linked to their network. The processors
are required to pass an annual outside security audit to ensure they
meet the associations' standards. They are also subject to quarterly
network scans to detect any vulnerabilities, but those results are
made available to the payment associations only on request. The
primary oversight of a processing company's security, however, is
left to the banks that pay for their services.
"MasterCard requires our banks to comply with all our standards,"
said Joshua Peirez, a senior vice president at MasterCard who is
responsible for policy. Mr. Peirez said it was up to the banks, and
those with whom they contract, to ensure compliance.
The interagency council has only indirect enforcement power over the
processors.
"We don't have enforcement over these" companies, Mr. Jackson said.
"We have enforcement over financial institutions."
The banks, he added, "can assess monetary penalties" against
noncompliant processors, and ultimately, "They don't have to sponsor
them anymore."
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/